api-filtering-sorting

[Skill Scanner] Backtick command substitution detected BENIGN but with a security caveat: the code correctly whitelists fields and sorts and implements parsing/coercion, which fits the stated purpose. However, it interpolates user-supplied operator names directly into MongoDB operator keys without an allowlist or operator-specific validation/normalization (and treats 'in' and 'like' in docs but not in code). This can enable unexpected NoSQL queries (e.g., $where or other special operators) depending on the DB driver and schema, so hardening is recommended (explicit operator allowlist, per-field type validation, proper handling of 'in' as arrays, and limits on query complexity). LLM verification: Functionality aligns with intended purpose but contains a significant NoSQL injection risk: the code constructs DB operator keys dynamically from untrusted parameter names without an operator whitelist or per-field operator/type validation. Sort handling is reasonably constrained. There is no evidence of malware, exfiltration, or obfuscation in this fragment; the primary security concern is database-side injection/abuse. Apply operator whitelisting, per-field operator/type restrictions, correct