Context-Inappropriate Capability
Medium
- Confidence
- 93% confidence
- Finding
- The script builds a shell command string with user-influenced input (`query`, derived from `--stock`/`--name`) and executes it via `execSync`, which invokes a shell. Even though the script path and query are wrapped in double quotes, shell metacharacters such as embedded quotes or command substitutions can still break out of quoting and lead to command injection, making this more dangerous than a normal stock-brief generator needs to be.
