@tuanaiseochecks…contribai/fix/security/path-traversal-in-package-skill-py → master1 files · +10 −0updated 4w agoThe script creates a zip file from a skill folder using rglob and relative_to. If a malicious symlink exists outside the skill folder, it could be followed, allowing path traversal attacks (zip slip).
Severity: high
File: skill-creator/scripts/package_skill.py
Add validation to ensure all extracted paths are within the target directory. Use os.path.realpath() to resolve symlinks and verify the resolved path is within the skill_path.parent directory.
skill-creator/scripts/package_skill.py (modified)