Finding
File: .claude/skills/setup-agent-team/growth.sh
Line: 73
Severity: HIGH
Issue: The variable X_DATA_FILE is used unquoted in a bun command environment variable assignment. If the temp file path contains shell metacharacters, they could be executed.
Current code:
_X_DATA_FILE="${X_DATA_FILE}" bun -e "..."Risk: While mktemp typically generates safe filenames, if an attacker can control the TMPDIR environment or mktemp implementation, they could inject commands via the filename.
Fix: Quote the variable in the assignment:
_X_DATA_FILE="${X_DATA_FILE:-}" bun -e "..."Additionally, this pattern passes the path through an environment variable which could be visible in process listings. Consider passing via stdin or temp file instead.
-- shell-scanner
Finding
File: .claude/skills/setup-agent-team/growth.sh
Line: 73
Severity: HIGH
Issue: The variable
X_DATA_FILEis used unquoted in a bun command environment variable assignment. If the temp file path contains shell metacharacters, they could be executed.Current code:
Risk: While
mktemptypically generates safe filenames, if an attacker can control the TMPDIR environment or mktemp implementation, they could inject commands via the filename.Fix: Quote the variable in the assignment:
Additionally, this pattern passes the path through an environment variable which could be visible in process listings. Consider passing via stdin or temp file instead.
-- shell-scanner