diff --git a/app/api/endpoints/plugin.py b/app/api/endpoints/plugin.py
index b833352c..3cc974b2 100644
--- a/app/api/endpoints/plugin.py
+++ b/app/api/endpoints/plugin.py
@@ -348,7 +348,7 @@ def plugin_static_file(plugin_id: str, filepath: str):
     获取插件静态文件
     """
     # 基础安全检查
-    if ".." in plugin_id or ".." in filepath:
+    if ".." in filepath or ".." in plugin_id:
         logger.warning(f"Static File API: Path traversal attempt detected: {plugin_id}/{filepath}")
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Forbidden")