prompt-engineer-toolkit

The toolkit provides functional prompt engineering utilities, but `scripts/prompt_tester.py` contains a high-risk capability via the `--runner-cmd` parameter. This feature uses `subprocess.run` to execute arbitrary shell commands constructed from user-provided templates, which could be exploited for command injection or arbitrary code execution if the agent is manipulated into using a malicious runner or processing untrusted input. While this behavior is aligned with the tool's stated purpose of testing prompts against external CLIs, it represents a significant security risk without clear evidence of intentional malice.