Skip to main content

sast-pathtraversal

Detects path traversal vulnerabilities in codebases using a structured three-phase approach for enhanced security assessment.

Install this skill

or
0/100

Security score

The sast-pathtraversal skill was audited on Jun 13, 2026 and we found 7 security issues across 2 threat categories, including 5 critical. Review the findings below before installing.

Categories Tested

Security Issues

high line 324

Template literal with variable interpolation in command context

SourceSKILL.md
324> - String concatenation used as a path: `BASE + var`, `f"{BASE}/{var}"`, `` `${base}/${var}` ``
critical line 23

Access to /etc/passwd

SourceSKILL.md
23Path traversal (also called directory traversal) occurs when user-supplied input is incorporated into a file path that is then used to read, write, or serve files from the filesystem — without properl
critical line 438

Access to /etc/passwd

SourceSKILL.md
438> - Using `os.path.join` alone without `realpath` — `os.path.join('/base', '../etc/passwd')` still produces `/etc/passwd`
critical line 440

Access to /etc/passwd

SourceSKILL.md
440> - Type validation (e.g., checking the extension is `.pdf`) without a path escape check — an attacker can use `../../etc/passwd%00.pdf` (null-byte) on older systems or frame the path to have the righ
critical line 465

Access to /etc/passwd

SourceSKILL.md
465> - **Impact**: Read arbitrary files accessible to the process user, including `/etc/passwd`, application config, source code, private keys.
critical line 538

Access to /etc/passwd

SourceSKILL.md
538- `os.path.join` and `path.join` alone do **not** prevent traversal — `os.path.join('/base', '../etc/passwd')` resolves to `/etc/passwd`. Only `realpath` + prefix check prevents this.
high line 440

Path traversal to sensitive directory

SourceSKILL.md
440> - Type validation (e.g., checking the extension is `.pdf`) without a path escape check — an attacker can use `../../etc/passwd%00.pdf` (null-byte) on older systems or frame the path to have the righ
Scanned on Jun 13, 2026
View Security Dashboard
Installation guide →
GitHub Stars 661
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
openclawbackendsecurity-engineerbackend-developerdevelopment
utkusen/sast-skills