While attempting to code review for T185384, I discovered that this extension obtains proxy information from Wikimedia using an API call. Unfortunately, this is using the return type PHP, and it is passed directly to unserialize. See Line 121 of AutoProxyBlock.body.php.
I'm pretty sure I don't have to explain why this is a security issue. For details, see the PHP article on unserialize: http://php.net/manual/en/function.unserialize.php