[T2.1] Filesystem Escape

Detects path traversal, symlink attacks, and file access outside the skill directory.

What It Detects

Filesystem escape occurs when a skill accesses, modifies, or creates files outside its designated directory tree. This includes classic path traversal using ../ sequences, symlink-based escapes where a symbolic link inside the skill directory points to a location outside it, and direct absolute path references to system or user directories. These techniques allow a skill to break out of its expected scope.

Why It Matters

Filesystem escape is a gateway to more severe attacks. Once a skill can read outside its own directory, it can access credentials, configuration files, and sensitive data belonging to other applications on the system. Filesystem escape frequently compounds with data exfiltration (T1.1) and credential harvest (T1.5).

Examples

  • A skill reads a configuration file using the path ../../.env, traversing upward out of its directory to access the project’s environment variables.
  • During installation, a skill creates a symlink inside its own directory that points to /etc/passwd, then reads through the symlink to access system files.
  • A dependency constructs a file path by concatenating user input with an absolute base, allowing an attacker to override the path and read arbitrary files on the system.

Severity & Impact

  • Severity: MEDIUM to HIGH
  • Score impact: -15 to -30 on the code_execution dimension
  • Escalation: Simple ../ traversal that does not reach sensitive files is rated MEDIUM. Traversal or symlink attacks that successfully access files outside the skill tree are rated HIGH. If the escape leads to credential files or system configuration, the finding may compound with T1.5 or other threat patterns.

Remediation

Skills should use only relative paths within their own directory tree. Resolve all paths to canonical form and validate that the result remains within the skill root before performing any file operation. Avoid creating symbolic links during installation. Never reference absolute paths to system directories. If a skill needs to read external files, the host application should provide a restricted file access API with explicit path restrictions.