Home » Tags

Path Traversal

Agent SkillSlip: Path traversal in Gemini CLI skill installation writes to .vscode

Agent SkillSlip: Path Traversal in Google Gemini CLI, Anthropic Claude Code, and Vercel add-skill

TL;DR Agent SkillSlip is a class of path traversal vulnerabilities in AI agent skill/plugin installers. The name field inside skill metadata is used directly in path.join() without validation, writing files to attacker-controlled locations — but the user only sees the archive filename or repository URL, not the internal metadata Found across three tools: Gemini CLI, Claude Code, and Vercel’s add-skill Impact ranges from VS Code terminal hijacking to SSH key injection add-skill fixed in PR #8 and PR #108. Gemini CLI and Claude Code remain unpatched as of writing The Pattern After installing a Gemini CLI skill: .vscode/settings.json injected, terminal hijacked ...

March 8, 2026 · 10 min · 2008 words · Aonan Guan
CVE-2026-27735: Agent sandbox vs MCP server runtime — how git_add bypasses CWD restrictions

Capability Laundering in MCP 3: CVE-2026-27735 Anthropic Git MCP Server git_add Path Traversal to Credential Exfiltration

Capability Laundering: The Series So Far This is the third case in an ongoing series documenting capability laundering in MCP ecosystems. Capability laundering is when an agent calls one tool, but gets the effect of a different capability via side effects. It occurs when all three conditions are met: The tool’s contract does not cover its effects — the implementation can produce effects beyond what the tool claims to do. Inputs can steer those effects — arguments can influence which effect happens and what gets modified. Controls gate tool calls, not effects — approvals and policies do not model the effect being produced. The previous two cases: ...

February 28, 2026 · 8 min · 1558 words · Aonan Guan
MCP Git Server capability laundering: git_init enables credential exfiltration

Capability Laundering in MCP 2: CVE-2025-68143 Anthropic Git MCP Server Path Traversal to Credential Exfiltration

What Happened In our previous analysis, we identified capability laundering in Anthropic’s Memory MCP Server: a “memory storage” tool that could write arbitrary configuration files through unconstrained implementation. This is the second case. The MCP Git Server (mcp-server-git) exposes Git operations to AI agents. The git_init tool accepts arbitrary repo_path values without validation, creating repositories in any filesystem location. Combined with git_diff_staged, this turns a “Git helper” into a credential exfiltration primitive. ...

December 28, 2025 · 8 min · 1518 words · Aonan Guan

Three Dots to Root: How I Found a Path Traversal in Microsoft's Agentic Web (NLWeb)

Discovered a classic path traversal vulnerability in Microsoft’s new Agentic Web protocol (NLWeb) that could expose sensitive files including API keys, credentials, and configuration files. The vulnerability was particularly critical as it could compromise AI agents’ “cognitive engines” by leaking LLM API keys. The research was featured in an exclusive interview with The Verge and subsequently covered by 30+ international media outlets across 15+ countries in 10+ languages, including PCWorld, IT Pro, Neowin, Tom’s Guide, CIO Korea, 3DNews Russia, iSpazio Italy, and Dagens AI Denmark. ...

August 6, 2025 · 1 min · 93 words · Aonan Guan