The Agent Skills Directory

[COMMAND_EXECUTION]: The script ai-code-stats.js is vulnerable to shell command injection. It accepts user-provided arguments such as commitHash and range and interpolates them directly into Git commands executed via child_process.execSync. An attacker can execute arbitrary commands on the host machine by providing input containing shell metacharacters such as semicolons, backticks, or pipes.\n- [COMMAND_EXECUTION]: Evidence found in ai-code-stats.js where the execGit function is invoked with unsanitized template strings, including git show --numstat --format= ${target}, git diff --numstat ${range}, and git diff ${range} -- "${filePath}". These inputs are derived from process.argv and are not validated or escaped before execution.

ai-code-stats