context-pack

This script correctly implements a basic markdown-to-files unpacker but contains security weaknesses that can be abused by a malicious or tampered context file. Primary risks: path traversal via unsanitized filenames allowing writes outside OUTPUT_DIR, symlink/TOCTOU races enabling overwrite of arbitrary files, and content corruption via echo -e interpretation. The script does not exhibit network activity or intentional obfuscation. Recommended mitigations: reject absolute paths and path segments containing '..'; canonicalize the final path (realpath or readlink -f) and verify it is within OUTPUT_DIR; create parent directories safely and avoid following symlinks; use secure file-creation (open with O_EXCL/O_NOFOLLOW or use mktemp for temporary files then rename); write contents without interpreting escapes (e.g., printf '%s' or use redirection from heredoc); enforce size quotas and explicit file permissions.