Agent SkillSlip: Path Traversal in Google Gemini CLI, Anthropic Claude Code, and Vercel add-skill
TL;DR Agent SkillSlip is a class of path traversal vulnerabilities in AI agent skill/plugin installers. The name field inside skill metadata is used directly in path.join() without validation, writing files to attacker-controlled locations — but the user only sees the archive filename or repository URL, not the internal metadata Found across three tools: Gemini CLI, Claude Code, and Vercel’s add-skill Impact ranges from VS Code terminal hijacking to SSH key injection add-skill fixed in PR #8 and PR #108. Gemini CLI and Claude Code remain unpatched as of writing The Pattern After installing a Gemini CLI skill: .vscode/settings.json injected, terminal hijacked ...