DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-74P7-6H78-GW8P: GHSA-74P7-6H78-GW8P: Multiple Critical Security Flaws in skillctl Agent-Skill Manager

#security #cve #cybersecurity #ghsa

GHSA-74P7-6H78-GW8P: Multiple Critical Security Flaws in skillctl Agent-Skill Manager

Vulnerability ID: GHSA-74P7-6H78-GW8P
CVSS Score: 8.6
Published: 2026-06-22

An in-depth security audit of the skillctl command-line package manager revealed five critical and high-severity security vulnerabilities. The identified flaws span parameter-level command argument injection via the source_sha parameter, uncontrolled resource consumption (Denial of Service) through unnamed UNIX FIFOs and character devices, directory path traversal in the destination argument, commit-message trailer forgery via newline injection in skill names, and local credential exfiltration leveraging UNIX hardlinks. These vulnerabilities represent significant vectors for workstation compromise when executing agentic tasks in repositories containing untrusted files or pull requests. Remediation was introduced in version v0.1.3.

TL;DR

Multiple critical vulnerabilities in skillctl allow malicious repositories to perform argument injection, system-wide directory deletion, persistent denial of service, commit forgery, and credential exfiltration when processed by AI developer agents.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-88, CWE-400, CWE-22, CWE-93, CWE-59
  • Attack Vector: Local / Social Engineering via Malicious Repository Configuration
  • CVSS v3.1: 8.6 (High)
  • Exploit Status: Proof of Concept (PoC) available in official test suite
  • Impact: Command Execution, Directory Deletion, Denial of Service, Local Secret Exfiltration
  • Remediation Status: Patched in version v0.1.3

Affected Systems

  • skillctl
  • skillctl: < v0.1.3 (Fixed in: v0.1.3)

Code Analysis

Commit: 28dfce3

Fix argument injection in git ls-tree, reject named pipes/devices/hardlinks, prevent relative path traversals, and sanitize input names.

Mitigation Strategies

  • Upgrade skillctl immediately to version v0.1.3 or later to apply the validation and resolution fixes.
  • Avoid running skillctl or autonomous agents inside directories mapped from untrusted pull requests.
  • Review skill definitions and configuration files (.skills.toml) manually before execution.

Remediation Steps:

  1. For systems running skillctl via python package managers, execute: pip install --upgrade skillctl
  2. For Rust cargo environments, run: cargo install skillctl --force
  3. Validate the local skill configuration using local sanitization scripts to look for non-hex values in source_sha keys.

References

Read the full report for GHSA-74P7-6H78-GW8P on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)