Context-Inappropriate Capability
Medium
- Confidence
- 88% confidence
- Finding
- The script automatically opens the generated .docx by constructing a platform-specific shell command and invoking it with child_process.exec. Although the output path is wrapped in quotes, using a shell is unnecessary for a document-formatting tool and creates avoidable command-execution risk if path handling is ever bypassed or edge cases in shell parsing are hit; it also triggers an unsolicited local application launch.
