Context-Inappropriate Capability
Medium
- Confidence
- 98% confidence
- Finding
- The script imports child_process and later builds a shell command with user-controlled inputFile for execSync. Although the path is wrapped in double quotes, shell metacharacters such as embedded quotes can still break out of quoting and enable command injection, causing arbitrary command execution in the context of the user running the skill.
