Context-Inappropriate Capability
Medium
- Confidence
- 97% confidence
- Finding
- The script builds a shell command with untrusted data from both the CLI channel argument and calendar event content, then executes it via execSync. Escaping only double quotes is insufficient because shell metacharacters such as backticks or command substitution can still be interpreted, allowing command injection if an attacker controls event fields or invocation parameters.
