PT-2026-49599 · Crates.Io · Skillctl

Published

2026-06-05

·

Updated

2026-06-05

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Impact

skillctl 0.1.0 and 0.1.1 contained four path-safety vulnerabilities that, in combination, allowed an attacker to:
  1. Exfiltrate arbitrary files on the operator's machine by publishing a malicious skills library containing a symlink inside a skill folder (e.g. niania → /home/user/.aws/credentials). The symlink fell through entry.file type().is dir() in fs util::copy dir all, was dereferenced by fs::copy, and the target's content was copied into the project. A subsequent skillctl push would have published the secret to the (possibly public) library — what the reporter called "round-trip path exfiltration".
  2. Delete arbitrary directories outside the project or library root by crafting a .skills.toml with a malicious destination or source path field. Both were deserialized as PathBuf with zero validation. Because Path::join lets an absolute right-hand side replace the base, destination = "/home/user/.ssh" made cwd.join(...) resolve outside the project; .. traversal was equally unguarded. Downstream remove dir all in replace folder contents then wiped arbitrary writable directories on skillctl pull / push / detect. .skills.toml is the exact kind of file teams commit and exchange via PR; a single merged malicious PR was sufficient to weaponise the maintainer's next skillctl pull --all.
  3. detect --target accepted .. traversal, even though absolute paths were rejected. --target ../../../etc would have written outside the library root.
  4. Fork-name validation accepted . and .. literally, so a fork named .. would have produced a Path::join resolving to the parent directory and fs::rename could have clobbered it.

Patches

Fixed in v0.1.2:
  • Symlinks inside skill folders are hard-rejected at copy time (both top-level source and any descendant entry).
  • .skills.toml destination and source path are validated at load time and reject absolute paths, .. components, and Windows-prefix components.
  • A new path safety::safe join helper is wired (defense-in-depth) at every destructive call site in pull.rs / push.rs.
  • detect --target and the interactive custom-path prompt go through the same validate relative subpath helper.
  • validate fork name explicitly rejects . and ...
Threat-model note: the fix is purely lexical (component-level) plus an explicit symlink check at copy time. No filesystem canonicalize calls were added, avoiding TOCTOU windows.

Credit

Reported privately on 2026-05-19 by firebaguette via the Umanio Discord (the reporter declined GitHub credit, so this advisory carries no structured credits field).

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-61

Related Identifiers

GHSA-WX3M-WHQV-XV47

Affected Products

Skillctl