Skill Detail
Restrict outbound domains for GitHub Agentic Workflows before repository agents can browse freely with gh-aw-firewall
Run GitHub Agentic Workflow jobs behind a domain allowlist and optional API-key sidecar instead of giving repository agents broad outbound access.
Security & VerificationCustom Agents
Security & Verification
Custom Agents
Security Reviewed
โญ 55 GitHub stars
INSTALL WITH ANY AGENT
npx skills add agentskillexchange/skills --skill restrict-outbound-domains-for-github-agentic-workflows-before-repository-agents-can-browse-freely-with-gh-aw-firewall
Works best when you want a reusable capability, not another fragile one-off prompt.
At a glance
Tools required
Docker 20.10+, Docker Compose v2, Linux host or compatible runtime
Install & setup
Install with the upstream installer, for example `curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo bash`, then run `awf –allow-domains <domain-list> — <your-agentic-workflow-command>`.
Author
GitHub
Publisher
Organization
Last updated
Apr 16, 2026
Quick brief
Use gh-aw-firewall when the job is specifically to harden GitHub Agentic Workflows with network policy before those agents are allowed to operate in CI or automation lanes. It wraps the command in a Docker sandbox, pushes HTTP and HTTPS through an allowlisted proxy, and can keep LLM API keys in a sidecar so they never enter the agent process. The scope boundary is narrow and publishable: this is a GitHub Agentic Workflows firewall workflow, not a generic container platform or broad GitHub product listing.