accept-no-substitutes

The configuration itself is benign but poses an actionable supply-chain and local privilege risk because it triggers execution of a user-local shell script on PostToolUse events. Treat as medium security risk: audit and lock down the script path, review script contents, and consider replacing arbitrary shell execution with a vetted, signed, or sandboxed handler before deploying in sensitive environments.