In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade skillctl to version 0.1.3 or higher.
Affected versions of this package are vulnerable to CRLF Injection via improper validation of user-supplied arguments and file paths. An attacker can execute arbitrary commands, access or overwrite files outside the intended directory, cause denial of service by leveraging special files such as FIFOs or devices, exfiltrate sensitive data through hardlinks, or forge commit metadata by injecting malicious input. This is only exploitable if attacker-controlled values are supplied to arguments such as --dest, source_sha, or skill names in non-interactive or agent-driven workflows.
This vulnerability can be mitigated by auditing .skills.toml source_sha fields, library content for special files and hardlinks, and avoiding attacker-controlled values for --dest and --message in agent or CI contexts.