File Access Vuln
Classify file-handling attack surface and route to path-traversal/LFI or upload-chain testing during authorized security reviews.
Overview
file-access-vuln is an agent skill for the Ship phase that routes file-access and upload testing to the correct path-traversal/LFI or insecure-upload workflow.
Install
npx skills add https://github.com/yaklang/hack-skills --skill file-access-vulnWhat is this skill?
- P1 entry router splitting path traversal/LFI from upload-validation and processing-chain issues
- Maps download endpoints, path parameters, preview pipelines, and archive extraction to dedicated topic skills
- Three-step flow: identify entry point, locate accept/store/process/serve stage, then open the right child skill
- Cross-links injection-checking and business-logic-vuln when file flows overlap other vuln classes
- Merged path-chain and upload-bypass samples live in child skills—no separate payload skill
- 3-step recommended flow
- 2 main topic skill branches (path traversal/LFI and upload insecure files)
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You see filenames, download URLs, or upload previews in scope but are unsure whether to test LFI/path abuse or the upload validation and processing chain first.
Who is it for?
Authorized security testers or indie builders running structured appsec reviews on apps with downloads, imports, previews, or user uploads.
Skip if: Builders who only need secure file-upload implementation patterns without offensive testing, or anyone without explicit permission to probe the target.
When should I use this skill?
Parameters, filenames, download endpoints, or import flows influence file paths; the target supports upload, preview, transcoding, extraction, sharing, download, or proxied file access; you need to decide whether this is
What do I get? / Deliverables
You classify the entry as path/download versus upload pipeline, pick the matching child skill, and follow the recommended accept-store-process-serve flow instead of mixing unrelated payloads.
- Chosen child skill path (path traversal/LFI vs upload insecure files)
- Stage map (accept, store, process, serve) for the file flow under test
Recommended Skills
Journey fit
File-access routing belongs on the Ship shelf because it guides pre-release or ongoing security testing of download, upload, and storage boundaries—not idea research or growth campaigns. Security subphase is the canonical home for vulnerability-category routers that sit under offensive security and appsec review workflows.
How it compares
Use as a category router before deep topic skills—not as a single checklist that replaces path-traversal-lfi or upload-insecure-files.
Common Questions / FAQ
Who is file-access-vuln for?
It is for penetration testers, bug-bounty researchers, and security-minded solo builders auditing download and upload surfaces on web apps and APIs under authorized scope.
When should I use file-access-vuln?
Use it in Ship security review when parameters or endpoints influence file paths, when uploads or previews exist, or when you must decide between LFI/path traversal and upload-chain testing.
Is file-access-vuln safe to install?
The skill describes offensive testing techniques; install only in controlled agent environments and review the Security Audits panel on this page before trusting the package in production tooling.
SKILL.md
READMESKILL.md - File Access Vuln
# File Access Router This is the routing entry point for filesystem paths, download endpoints, upload pipelines, and file preview handling. ## When to Use - Parameters, filenames, download endpoints, or import flows influence file paths - The target supports upload, preview, transcoding, extraction, sharing, download, or proxied file access - You need to decide whether this is path traversal/LFI or an upload-validation/processing-chain issue ## Skill Map - [Path Traversal LFI](../path-traversal-lfi/SKILL.md): path traversal, file read, wrapper abuse, include chains - [Upload Insecure Files](../upload-insecure-files/SKILL.md): upload validation, storage paths, processing chains, overwrite risk, preview/share boundaries ## Recommended Flow 1. First identify whether the entry point is a path parameter, download endpoint, or upload workflow 2. Then locate whether the issue appears in accept, store, process, or serve stages 3. Small path-chain and upload-bypass samples are merged into the main topic skills; no separate payload entry is needed ## Related Categories - [injection-checking](../injection-checking/SKILL.md) - [business-logic-vuln](../business-logic-vuln/SKILL.md)