| Title | 8421bit MiniClaw 0 Path Traversal |
|---|
| Description | The executeSkillScript function is vulnerable to Path Traversal (CWE-22).
The function constructs the script path using unsanitized user-controlled inputs (skillName, scriptFile) with path.join(), without validating that the final path stays within the allowed SKILLS_DIR directory. Attackers can use ../ sequences to access arbitrary files on the server filesystem.
More details: https://github.com/8421bit/MiniClaw/issues/5 |
|---|
| Source | ⚠️ https://github.com/8421bit/MiniClaw/issues/5 |
|---|
| User | ybdesire (UID 83239) |
|---|
| Submission | 04/20/2026 12:54 (3 months ago) |
|---|
| Moderation | 05/07/2026 18:33 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 361901 [8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f executeSkillScript src/kernel.ts isPathInside path traversal] |
|---|
| Points | 20 |
|---|