Path traversal in skill_view allows reading arbitrary files including API keys

[Farukest]

skill_view accepts a file_path parameter to read files within a skill directory, but does not validate the path for traversal. An LLM or prompt injection can read arbitrary files on the system.

Reproduction

skill_view("any-skill", file_path="../../.env")

This reads ~/.hermes/.env which contains API keys (OPENAI_API_KEY, OPENROUTER_API_KEY, etc).

Root cause

File: tools/skills_tool.py, lines 445-446

if file_path and skill_dir:
    target_file = skill_dir / file_path

No validation on file_path. The path is joined directly to the skill directory and read without checking if it escapes the directory boundary.

skill_manager_tool.py already has this validation at lines 177-178:

if ".." in normalized.parts:
    return "Path traversal ('..') is not allowed."

But skills_tool.py does not implement it.

Impact

Any skill-using conversation where the LLM is tricked (or a malicious skill instructs it) to call skill_view with a crafted file_path can exfiltrate:

• ~/.hermes/.env (all API keys)
• ~/.ssh/id_rsa (SSH private keys)
• Any readable file on the system

Suggested fix

Add .. component check and resolve() containment check before reading, matching the existing pattern in skill_manager_tool.py.

[Farukest]

Hi @teknium1 , I've opened a PR for this at #221. Let me know if anything needs changes.

[teknium1]

Fixed in commit 1cb2311.

Added two layers of path traversal defense to skill_view:

1. Reject paths with .. components
2. resolve() containment check with trailing / to prevent prefix collisions and catch symlink escapes

Tests cover: direct traversal, nested traversal, symlink escape, legitimate paths still working, and verifying sensitive content never leaks.

Fix approach from PR #242 (@Bartok9). Thanks @Farukest for reporting the vulnerability and @Bartok9 for the robust fix. Both PRs had working code but their tests needed adjustment (mock target), so we applied the fix + rewrote the tests.