以下是关于该GitHub提交中的漏洞关键信息的简洁Markdown总结: --- Commit: Author: aether-ai-agent, steipete Date: 3 days ago Message: Fix (Security) OC-22 Prevent Zip Slip and Symlink Following in Skill Packaging Vulnerability: OC-22 CVSS: 7.7 CWE: 426 Security Fixes 1. Symlink Detection and Rejection Added checks to detect and reject symlinks in skill directories. Prevents attackers from including arbitrary system files. Error message if any symlink is found. 2. Path Traversal (Zip Slip) Prevention Validated arcname paths in zip archives. Rejects paths containing to prevent directory traversal. Rejects absolute paths to ensure not escaping the skill directory. Prevents overwriting system files during extraction. Attack Vectors Mitigated Symlink Following: Rejects symlinks to critical system files like . Zip Slip: Rejects crafted paths with to avoid overwriting system files. Changes Files Modified: - - Changes: - Added symlink check at line 73-76. - Added path validation check at line 84-87. - Enhanced error messages. - - Test Suite Added: - Comprehensive tests for symlink rejection, path traversal prevention, normal file packaging, and edge cases. Testing All tests pass, covering various scenarios including normal file packaging, symlink rejection, path traversal protection, and handling edge cases. --- This commit details comprehensive security enhancement addressing symlink and path traversal vulnerabilities in the skill packaging system.