Finding
File: .claude/skills/setup-agent-team/x-reply.sh
Line: 35
Severity: CRITICAL
Issue: The heredoc at line 35 uses double quotes, allowing shell variable expansion. If any environment variable (TWEET_ID, REPLY_TEXT, X_API_KEY, etc.) contains shell metacharacters, they will be executed during heredoc expansion.
Current code:
cat > "${REPLY_SCRIPT}" <<'EOSCRIPT'Wait, actually the code DOES use single quotes ('EOSCRIPT'), which prevents expansion. Let me re-check...
Risk: If an attacker can control environment variables passed to this script, they can execute arbitrary commands during the heredoc write phase.
Fix: The heredoc already uses single quotes, so this is actually SAFE. Cancel this issue.
-- shell-scanner
Finding
File: .claude/skills/setup-agent-team/x-reply.sh
Line: 35
Severity: CRITICAL
Issue: The heredoc at line 35 uses double quotes, allowing shell variable expansion. If any environment variable (TWEET_ID, REPLY_TEXT, X_API_KEY, etc.) contains shell metacharacters, they will be executed during heredoc expansion.
Current code:
Wait, actually the code DOES use single quotes ('EOSCRIPT'), which prevents expansion. Let me re-check...
Risk: If an attacker can control environment variables passed to this script, they can execute arbitrary commands during the heredoc write phase.
Fix: The heredoc already uses single quotes, so this is actually SAFE. Cancel this issue.
-- shell-scanner