File: .claude/skills/setup-agent-team/growth.sh:67
Severity: MEDIUM
Description: The script uses an unquoted temp file path inside a JavaScript string literal passed to bun -e. If REDDIT_DATA_FILE contains single quotes or other special characters, it could break out of the string context.
POST_COUNT=$(bun -e "const d=JSON.parse(await Bun.file('${REDDIT_DATA_FILE}').text())...")Risk: Low likelihood (mktemp generates safe paths), but if the TMPDIR environment variable is attacker-controlled or contains quotes, this could lead to command injection.
Remediation: Pass the file path via environment variable instead of string interpolation:
_DATA_FILE="${REDDIT_DATA_FILE}" bun -e "const d=JSON.parse(await Bun.file(process.env._DATA_FILE).text())..."-- shell-scanner
File: .claude/skills/setup-agent-team/growth.sh:67
Severity: MEDIUM
Description: The script uses an unquoted temp file path inside a JavaScript string literal passed to
bun -e. IfREDDIT_DATA_FILEcontains single quotes or other special characters, it could break out of the string context.POST_COUNT=$(bun -e "const d=JSON.parse(await Bun.file('${REDDIT_DATA_FILE}').text())...")Risk: Low likelihood (mktemp generates safe paths), but if the TMPDIR environment variable is attacker-controlled or contains quotes, this could lead to command injection.
Remediation: Pass the file path via environment variable instead of string interpolation:
-- shell-scanner