diff --git a/.github/workflows/check-file-contents.yml b/.github/workflows/check-file-contents.yml
index a6c31788fa..42d820ab47 100644
--- a/.github/workflows/check-file-contents.yml
+++ b/.github/workflows/check-file-contents.yml
@@ -111,7 +111,7 @@ jobs:
             # 1. Identify files containing any googleapis.com URL.
             set +e
             FILES_WITH_ENDPOINTS=$(grep -lE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES)
-            
+
             # 2. From those, identify files that are MISSING the required mTLS version.
             if [ -n "$FILES_WITH_ENDPOINTS" ]; then
               FILES_MISSING_MTLS=$(grep -L '.mtls.googleapis.com' $FILES_WITH_ENDPOINTS)
diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py
index 53a0736231..62b8f9a39a 100644
--- a/src/google/adk/agents/config_agent_utils.py
+++ b/src/google/adk/agents/config_agent_utils.py
@@ -538,14 +538,21 @@ def resolve_agent_reference(
   """
   if ref_config.config_path:
     if os.path.isabs(ref_config.config_path):
-      return from_config(ref_config.config_path)
-    else:
-      return from_config(
-          os.path.join(
-              os.path.dirname(referencing_agent_config_abs_path),
-              ref_config.config_path,
-          )
+      raise ValueError(
+          "Absolute paths are not allowed in AgentTool config_path:"
+          f" {ref_config.config_path!r}"
+      )
+    agent_dir = os.path.dirname(referencing_agent_config_abs_path)
+    resolved_path = os.path.normpath(
+        os.path.join(agent_dir, ref_config.config_path)
+    )
+    canonical_agent_dir = os.path.normpath(agent_dir)
+    if not resolved_path.startswith(canonical_agent_dir + os.path.sep):
+      raise ValueError(
+          f"Path traversal detected: config_path {ref_config.config_path!r}"
+          " resolves outside the agent directory"
       )
+    return from_config(resolved_path)
   elif ref_config.code:
     return _resolve_agent_code_reference(ref_config.code)
   else:
diff --git a/src/google/adk/cli/utils/evals.py b/src/google/adk/cli/utils/evals.py
index d2ca8878f3..3f4085cba0 100644
--- a/src/google/adk/cli/utils/evals.py
+++ b/src/google/adk/cli/utils/evals.py
@@ -15,7 +15,8 @@
 from __future__ import annotations
 
 import os
-from typing import Any, TYPE_CHECKING
+from typing import Any
+from typing import TYPE_CHECKING
 
 from pydantic import alias_generators
 from pydantic import BaseModel
diff --git a/tests/unittests/skills/test__utils.py b/tests/unittests/skills/test__utils.py
index 0547c630a5..abae9cd8b8 100644
--- a/tests/unittests/skills/test__utils.py
+++ b/tests/unittests/skills/test__utils.py
@@ -393,5 +393,3 @@ def mock_import(name, globals=None, locals=None, fromlist=(), level=0):
   with mock.patch("builtins.__import__", mock_import):
     with pytest.raises(ImportError, match="google-cloud-storage is required"):
       _load_skill_from_gcs_dir("my-bucket", "skills/my-skill/")
-
-