Claude Code

TL;DR Agent SkillSlip is a class of path traversal vulnerabilities in AI agent skill/plugin installers. The name field inside skill metadata is used directly in path.join() without validation, writing files to attacker-controlled locations — but the user only sees the archive filename or repository URL, not the internal metadata Found across three tools: Gemini CLI, Claude Code, and Vercel’s add-skill Impact ranges from VS Code terminal hijacking to SSH key injection add-skill fixed in PR #8 and PR #108. Gemini CLI and Claude Code remain unpatched as of writing The Pattern After installing a Gemini CLI skill: .vscode/settings.json injected, terminal hijacked ...

allowedDomains: [], “Empty array = no network access.” — Anthropic Sandbox Runtime Documentation The implementation did not match the documentation. When I configured Claude Code’s sandbox with allowedDomains: [], expecting complete network isolation, the sandbox was wide open and allowed connections to any server on the internet. Anthropic patched this quietly in Claude Code v2.0.55 with a changelog entry saying “Fix proxy DNS resolution” — no mention of a critical security flaw. They assigned CVE-2025-66479 to their runtime library but did not assign a CVE to their flagship product Claude Code. The changelog did not include a security advisory. In practice, the issue was fixed quietly and most users were unlikely to realize there was a security patch. ...