fix: sanitize GCS blob names to prevent path traversal in skill loading

[BISHT-CX]

Link to Issue:

Related: Google OSS VRP Issue 499557362

Problem:

Blob names fetched from attacker-controlled GCS buckets are passed 
unsanitized to os.path.join() and executed via runpy.run_path(), 
enabling path traversal and RCE. A malicious blob name like:

skills/my_skill/../../../../../../home/victim/scripts/exploit.py

escapes the sandbox and executes attacker code in the victim's process.

Solution:

Added os.path.normpath() validation in _load_files_in_dir() to reject 
blob names containing traversal sequences (..) or absolute paths before 
any file operations occur.

Testing Plan — Manual E2E:

Verified using a controlled GCS bucket with traversal blob names. 
After the fix, ValueError is raised before any file write occurs.
PoC available in linked VRP report.

For the checkboxes — only check the ones that are true:

• ✅ I have read CONTRIBUTING.md
• ✅ I have performed a self-review
• ✅ I have commented my code

•  I have manually tested end-to-end
  

Tested the path traversal logic manually via standalone PoC script
replicating ADK's blob name handling. Full ADK runtime E2E test
not performed. PoC available in linked VRP report (Issue 499557362).

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.