Context-Inappropriate Capability
Medium
- Confidence
- 97% confidence
- Finding
- The code calls tar.extractall(tmpdir) on an untrusted archive before validating member names against the manifest or checking checksums. A crafted tarball can use path traversal or symlink/hardlink entries to write outside tmpdir during extraction, which is especially dangerous because this skill is explicitly intended to restore state on real hosts with access to workspace and config data.
