Garry Tan 37e4cf5754 fix: TOCTOU race in setup symlink creation (C6) ...

Remove the existence check before mkdir -p (it's idempotent) and validate
the target isn't already a symlink before creating the link. Prevents a
local attacker from racing between the check and mkdir to redirect
SKILL.md writes. Closes C6 from security audit #783.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 21:22:24 -07:00

28 KiB

Executable File

Raw Blame History

View Raw