Review Finding
PR: #75 (feat: MCP server source control + 5 new session tools)
File: install.sh
Line: 93
Severity: must-fix
Description
The latest_version variable (fetched from the GitHub API) is interpolated directly into a python3 -c "..." heredoc: data['skills']['${SKILL_NAME}'] = {'last_check': ${now}, 'latest': '${latest_version}', ...}. If the tag_name returned by the API contains a single-quote or newline, it breaks out of the Python string literal and allows arbitrary code execution. Strip or validate latest_version to [0-9.]+ before using it in any Python interpolation.
Auto-created by Claude Code Review.
Review Finding
PR: #75 (feat: MCP server source control + 5 new session tools)
File:
install.shLine: 93
Severity: must-fix
Description
The
latest_versionvariable (fetched from the GitHub API) is interpolated directly into apython3 -c "..."heredoc:data['skills']['${SKILL_NAME}'] = {'last_check': ${now}, 'latest': '${latest_version}', ...}. If the tag_name returned by the API contains a single-quote or newline, it breaks out of the Python string literal and allows arbitrary code execution. Strip or validatelatest_versionto[0-9.]+before using it in any Python interpolation.Auto-created by Claude Code Review.