AI Threat Alert

GHSA-wx3m-whqv-xv47: skillctl: path traversal enables credential exfiltration

GHSA-wx3m-whqv-xv47 HIGH
Published June 5, 2026
CISO Take

skillctl versions 0.1.0 and 0.1.1 contain four chained path-safety flaws — symlink following, unvalidated PathBuf deserialization in .skills.toml, and unguarded .. traversal — that allow an attacker to exfiltrate sensitive files such as ~/.aws/credentials or wipe arbitrary directories including ~/.ssh by publishing a malicious skills library or committing a crafted .skills.toml to a shared repo. The .skills.toml vector is particularly insidious because it is exactly the kind of file teams commit and exchange via PR, meaning a single merged malicious PR is sufficient to weaponize the maintainer's next skillctl pull. With only 2 downstream dependents and no EPSS data or active exploitation reported the current blast radius is limited, but the attack is deterministic, requires no special privileges, and is trivially weaponizable against any cloud-connected AI development environment where developers hold AWS or GCP credentials locally. Upgrade to v0.1.2 immediately, audit externally-sourced .skills.toml files for absolute paths or .. components, and scan skill library directories for unexpected symlinks.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium-High for teams using skillctl in cloud-connected AI development workflows. The vulnerabilities are classic CWE-22 and CWE-61 requiring no AI/ML expertise — any attacker with write access to a shared skills registry or the ability to submit a PR can deterministically trigger credential exfiltration or data destruction. The absence of EPSS data and only 2 known downstream dependents currently limits real-world exposure, but teams that share .skills.toml via version control are at elevated risk since the attack surface is embedded in normal development workflow rather than requiring external network access.

How does the attack unfold?

Malicious Library Staging
Adversary publishes a skills library to a public registry containing a symlink pointing to a sensitive file (e.g., ~/.aws/credentials), or commits a .skills.toml with absolute destination/source_path to a shared team repository via PR.
AML.T0104
Victim Pull Execution
Developer runs 'skillctl pull', triggering fs::copy which dereferences the symlink and copies sensitive file contents into the project directory, or remove_dir_all which wipes the targeted arbitrary directory.
AML.T0011.001
Local Credential Capture
Sensitive operator files (AWS credentials, SSH keys, tokens) are now present in plaintext within the project directory under attacker-controlled filenames, accessible without any further exploitation.
AML.T0037
Round-Trip Exfiltration
Developer's subsequent 'skillctl push' publishes the project — now containing the copied secrets — to the public skills registry, completing credential exfiltration via the victim's own tooling with no network activity attributable to the attacker.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Cline cargo < 0.1.2 0.1.2
62.9K 2 dependents Pushed 6d ago 50% patched ~0d to patch Full package profile →

Do you use Cline? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps

  1. Upgrade to skillctl v0.1.2 immediately — the patch hard-rejects symlinks at copy time, validates .skills.toml paths at load time rejecting absolute paths and .. components, and adds a safe_join helper at all destructive call sites.

  2. Before upgrading, do not run skillctl pull, push, or detect with untrusted libraries or unreviewed .skills.toml files from external sources.

  3. Audit all .skills.toml files in shared repositories for absolute paths (starting with /) or .. components before running any skillctl command.

  4. Scan skill library directories for symlinks pointing outside the project root: find <skills_dir> -type l -ls.

  5. Review any files recently pulled from external skills libraries for unexpected content that may have been symlink-dereferenced from sensitive locations on the operator's machine.

How is it classified?

Supply Chain Data Extraction Privacy Violation Agent Plugin AML.T0010.005 AML.T0011.001 AML.T0025 AML.T0037 AML.T0104

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.10.2 - AI system development security A.6.2 - Supplier and third-party relationships
NIST AI RMF
GOVERN 1.2 - Accountability and organizational roles for AI risk
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-wx3m-whqv-xv47?

skillctl versions 0.1.0 and 0.1.1 contain four chained path-safety flaws — symlink following, unvalidated PathBuf deserialization in .skills.toml, and unguarded .. traversal — that allow an attacker to exfiltrate sensitive files such as ~/.aws/credentials or wipe arbitrary directories including ~/.ssh by publishing a malicious skills library or committing a crafted .skills.toml to a shared repo. The .skills.toml vector is particularly insidious because it is exactly the kind of file teams commit and exchange via PR, meaning a single merged malicious PR is sufficient to weaponize the maintainer's next skillctl pull. With only 2 downstream dependents and no EPSS data or active exploitation reported the current blast radius is limited, but the attack is deterministic, requires no special privileges, and is trivially weaponizable against any cloud-connected AI development environment where developers hold AWS or GCP credentials locally. Upgrade to v0.1.2 immediately, audit externally-sourced .skills.toml files for absolute paths or .. components, and scan skill library directories for unexpected symlinks.

Is GHSA-wx3m-whqv-xv47 actively exploited?

No confirmed active exploitation of GHSA-wx3m-whqv-xv47 has been reported, but organizations should still patch proactively.

How to fix GHSA-wx3m-whqv-xv47?

1. Upgrade to skillctl v0.1.2 immediately — the patch hard-rejects symlinks at copy time, validates .skills.toml paths at load time rejecting absolute paths and .. components, and adds a safe_join helper at all destructive call sites. 2. Before upgrading, do not run skillctl pull, push, or detect with untrusted libraries or unreviewed .skills.toml files from external sources. 3. Audit all .skills.toml files in shared repositories for absolute paths (starting with /) or .. components before running any skillctl command. 4. Scan skill library directories for symlinks pointing outside the project root: find <skills_dir> -type l -ls. 5. Review any files recently pulled from external skills libraries for unexpected content that may have been symlink-dereferenced from sensitive locations on the operator's machine.

What systems are affected by GHSA-wx3m-whqv-xv47?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development tooling, skills and plugin management systems.

What is the CVSS score for GHSA-wx3m-whqv-xv47?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI development toolingskills and plugin management systems

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0011.001 Malicious Package
AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0104 Publish Poisoned AI Agent Tool

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.10.2, A.6.2
NIST AI RMF: GOVERN 1.2
OWASP LLM Top 10: LLM05, LLM07

What are the technical details?

Original Advisory

## Impact `skillctl` 0.1.0 and 0.1.1 contained four path-safety vulnerabilities that, in combination, allowed an attacker to: 1. **Exfiltrate arbitrary files on the operator's machine** by publishing a malicious skills library containing a symlink inside a skill folder (e.g. `niania → /home/user/.aws/credentials`). The symlink fell through `entry.file_type().is_dir()` in `fs_util::copy_dir_all`, was dereferenced by `fs::copy`, and the target's content was copied into the project. A subsequent `skillctl push` would have published the secret to the (possibly public) library — what the reporter called "round-trip path exfiltration". 2. **Delete arbitrary directories outside the project or library root** by crafting a `.skills.toml` with a malicious `destination` or `source_path` field. Both were deserialized as `PathBuf` with zero validation. Because `Path::join` lets an absolute right-hand side replace the base, `destination = "/home/user/.ssh"` made `cwd.join(...)` resolve outside the project; `..` traversal was equally unguarded. Downstream `remove_dir_all` in `replace_folder_contents` then wiped arbitrary writable directories on `skillctl pull` / `push` / `detect`. `.skills.toml` is the exact kind of file teams commit and exchange via PR; a single merged malicious PR was sufficient to weaponise the maintainer's next `skillctl pull --all`. 3. **`detect --target` accepted `..` traversal**, even though absolute paths were rejected. `--target ../../../etc` would have written outside the library root. 4. **Fork-name validation accepted `.` and `..` literally**, so a fork named `..` would have produced a `Path::join` resolving to the parent directory and `fs::rename` could have clobbered it. ## Patches Fixed in [v0.1.2](https://github.com/umanio-agency/skillctl/releases/tag/v0.1.2): - Symlinks inside skill folders are hard-rejected at copy time (both top-level source and any descendant entry). - `.skills.toml` `destination` and `source_path` are validated at load time and reject absolute paths, `..` components, and Windows-prefix components. - A new `path_safety::safe_join` helper is wired (defense-in-depth) at every destructive call site in `pull.rs` / `push.rs`. - `detect --target` and the interactive custom-path prompt go through the same `validate_relative_subpath` helper. - `validate_fork_name` explicitly rejects `.` and `..`. Threat-model note: the fix is purely lexical (component-level) plus an explicit symlink check at copy time. No filesystem `canonicalize` calls were added, avoiding TOCTOU windows. ## Credit Reported privately on 2026-05-19 by **firebaguette** via the Umanio Discord (the reporter declined GitHub credit, so this advisory carries no structured credits field).

Exploitation Scenario

An adversary targeting an AI development team publishes a malicious skills library to a public registry containing a symlink named 'config' pointing to /home/user/.aws/credentials. When a developer runs 'skillctl pull', the symlink is dereferenced by fs::copy and the credentials file content is silently copied into the project directory under the attacker-chosen filename. The developer then runs 'skillctl push' to share an updated skills package with teammates, unknowingly publishing the AWS credentials to the public library where the adversary retrieves them. In a parallel attack vector, the adversary submits a PR to a team repository adding destination = '/home/user/.ssh' to an existing .skills.toml; when any teammate merges the PR and runs skillctl pull, remove_dir_all executes against the SSH key directory, locking the entire team out of production servers.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-61 UNIX Symbolic Link (Symlink) Following Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

References

Timeline

Published
June 5, 2026
Last Modified
June 5, 2026
First Seen
June 5, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44211 9.6

cline: WebSocket auth bypass enables terminal RCE

Same package: cline
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
Back to Threat Feed