[bredren]

I identified this in August last year but it was specifically excluded by Anthropic's Vulnerability Disclosure Program Policy at the time.

You can still see the exclusion on HackerOne: https://hackerone.com/anthropic-vdp/policy_scopes

   Out of Scope:

    Abusing intended functionality of Claude CLI
    Using aliased commands, symlinks or other environment-specific settings to bypass permission prompts
    Local storage of Claude Code credentials, configuration and logs

Symlinks have been very important to manage skills from disparate sources and managing multiple CLIs.

Codex did not originally support symlink'd skills but added it in response to user requests on Jan 9th.