Gemini CLI

By Aonan Guan, with Johns Hopkins University’s Zhengyu Liu and Gavin Zhong Update — 2026-05-04. I reported this on 2025-10-17; Anthropic accepted it at Critical (CVSS 9.3), upgraded it to Critical (CVSS 9.4) on 2025-11-25, and changed it to None on 2026-04-20. Three of the most widely deployed AI agents on GitHub Actions can be hijacked into leaking the host repository’s API keys and access tokens — using GitHub itself as the command-and-control channel. ...

TL;DR Agent SkillSlip is a class of path traversal vulnerabilities in AI agent skill/plugin installers. The name field inside skill metadata is used directly in path.join() without validation, writing files to attacker-controlled locations — but the user only sees the archive filename or repository URL, not the internal metadata Found across three tools: Gemini CLI, Claude Code, and Vercel’s add-skill Impact ranges from VS Code terminal hijacking to SSH key injection add-skill fixed in PR #8 and PR #108. Gemini CLI and Claude Code remain unpatched as of writing The Pattern After installing a Gemini CLI skill: .vscode/settings.json injected, terminal hijacked ...