skill_view accepts a file_path parameter to read files within a skill directory, but does not validate the path for traversal. An LLM or prompt injection can read arbitrary files on the system.

Reproduction

skill_view("any-skill", file_path="../../.env")

This reads ~/.hermes/.env which contains API keys (OPENAI_API_KEY, OPENROUTER_API_KEY, etc).

Root cause

File: tools/skills_tool.py, lines 445-446

if file_path and skill_dir:
    target_file = skill_dir / file_path

No validation on file_path. The path is joined directly to the skill directory and read without checking if it escapes the directory boundary.

skill_manager_tool.py already has this validation at lines 177-178:

if ".." in normalized.parts:
    return "Path traversal ('..') is not allowed."

But skills_tool.py does not implement it.

Impact

Any skill-using conversation where the LLM is tricked (or a malicious skill instructs it) to call skill_view with a crafted file_path can exfiltrate:

• ~/.hermes/.env (all API keys)
• ~/.ssh/id_rsa (SSH private keys)
• Any readable file on the system

Suggested fix

Add .. component check and resolve() containment check before reading, matching the existing pattern in skill_manager_tool.py.