Security: Directory traversal in CLI skill installer allows arbitrary file writes

[spidershield-contrib]

Summary

The installSkillFiles() function in packages/cli/src/utils/installer.ts does not validate file paths before writing. A malicious skill repository can include files with ../ sequences in their paths, allowing writes to arbitrary locations on disk.

Affected Code

installer.ts:14

const filePath = join(skillDir, file.path);
// file.path is not validated — "../../../etc/crontab" resolves outside skillDir

github.ts:127 — The source of these paths:

const relativePath = item.path.slice(skillPath.length + 1);
// No validation on relativePath before it becomes file.path

Attack Vector

1. Attacker creates a GitHub repository with a skill directory containing a file like my-skill/../../../.bashrc
2. The GitHub API tree filter at line 108 (item.path.startsWith(skillPath + "/")) does NOT block this — my-skill/../../../.bashrc starts with my-skill/
3. relativePath becomes ../../../.bashrc
4. path.join(skillDir, "../../../.bashrc") resolves to a path outside skillDir
5. writeFile() overwrites the file with attacker-controlled content

Impact

• Arbitrary file write as the current user
• Can overwrite shell configs, SSH keys, or plant malicious code
• Triggered by installing any untrusted skill

Suggested Fix

1. Use path.resolve() instead of path.join() and verify the resolved path starts with the skill directory
2. Reject paths containing .. at download time as defense-in-depth