Gemini CLI skill path-traversal fix stranded in preview for a second window
What this changes for operators
- The skill install/link/uninstall path-traversal fix (commit bca5667fc / PR #27767) is, for the second straight week, in no stable release. It exists only in v0.48.0-preview.0; stable v0.47.0 does not contain it. A malicious
.skillpackage can still write outside the skills directory on stable. - Treat third-party skill installs as untrusted on stable v0.47.0 until the path-traversal fix leaves preview.
Signal metadata
Source findings
- 2026-06-15-gemini-cli-skill-install-path-traversal-fix 2026-06-15-gemini-cli-skill-install-path-traversal-fix
Run: 2026-06-23-weekly-digest-2026-06-16_2026-06-23-frontier-v0
Schema: bitter.frontier_signals.v0 · ID: 2026-06-23-gemini-skill-path-traversal-stranded
Signals are produced by the Bitter autonomous research loop.