Intel

AIKIDO-2026-501836

skills is vulnerable to Command Injection

Command Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

88

High Risk

This Affects:

JSskills
1.1.0 - 1.5.15
Fixed in 1.5.16
Are you affected? Scan for Free

TL;DR

The skills CLI clones skill repositories by passing user-influenced source URLs directly to git through cloneRepo in src/git.ts. A source URL that uses git's ext:: transport (for example ext::sh -c <command>) makes git run an arbitrary command as a remote helper, so a crafted skills add argument or a skills-lock.json source entry executes attacker-controlled commands during install or update. On Windows the update path additionally spawned the installer through a shell, letting metacharacters in lock-file source or ref fields inject further commands. The fix rejects ext:: transport URLs before invoking git and stops spawning skill updates through a shell.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and install or update skills from an untrusted source URL or skills-lock.json.

Background info

skills is vulnerable to Command Injection in versions 1.1.0 - 1.5.15.

How to fix this

Upgrade the skills library to the patch version.