Skip to main content
rulesSource-backedReview first Safety Privacy

AI-Generated OS Command Injection Review Rules

Source-backed rules for reviewing AI-generated code that builds or runs operating-system commands, shell invocations, or subprocesses before merge for command injection and argument injection risk, covering library alternatives to shelling out, array-form process APIs, allowlist input validation, and least-privilege execution.

by lourincedaging0-commits·added 2026-07-15·
HarnessClaude Code
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html, https://github.com/JSONbored/awesome-claude/blob/main/content/rules/ai-generated-command-injection-review-rules.mdx
Safety notes
A successful OS command injection lets an attacker run arbitrary commands with the privileges of the running process, which can mean full remote code execution, data exfiltration, or lateral movement on the host., AI assistants often shell out with a string-interpolated command (f-string, template literal, string concatenation) because it is the shortest path to invoking an external tool, without switching to the array-form API or validating input., Even a fixed, non-attacker-controlled command name is not safe if an attacker can control one of its arguments — argument injection can still cause information disclosure or code execution depending on the command.
Privacy notes
Command injection proof-of-concept payloads and captured process output can expose real filesystem contents, environment variables, or credentials; use a sandboxed environment and redact captures before pasting them into a PR or issue., Do not commit real file paths, hostnames, or internal tool names discovered while testing a suspected injection into a public PR or issue description., Subprocess output and error streams are a common place for secrets (API keys, tokens in env vars) to leak into logs; avoid logging raw stdout/stderr from a shelled-out command that could echo them back.
Author
lourincedaging0-commits
Submitted by
lourincedaging0-commits
Claim status
unclaimed
Last verified
2026-07-15

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

15 minutes

Install command

Not provided

Config snippet

Not provided

Copy snippet

Provided

Prerequisites

4 to clear

Platforms

1 listed

Install type

Copy & paste

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

4 prerequisites to line up before setup. Includes a review or approval gate.

0/4 ready
Configuration1Permissions & scopes1Review & approval1General115 minutes

Safety & privacy surface

Safety & privacy surface

3 safety and 3 privacy notes across 4 risk areas. Review closely: credentials & tokens, network access.

4 areas
  • SafetyNetwork accessA successful OS command injection lets an attacker run arbitrary commands with the privileges of the running process, which can mean full remote code execution, data exfiltration, or lateral movement on the host.
  • SafetyLocal filesAI assistants often shell out with a string-interpolated command (f-string, template literal, string concatenation) because it is the shortest path to invoking an external tool, without switching to the array-form API or validating input.
  • SafetyExecution & processesEven a fixed, non-attacker-controlled command name is not safe if an attacker can control one of its arguments — argument injection can still cause information disclosure or code execution depending on the command.
  • PrivacyCredentials & tokensCommand injection proof-of-concept payloads and captured process output can expose real filesystem contents, environment variables, or credentials; use a sandboxed environment and redact captures before pasting them into a PR or issue.
  • PrivacyLocal filesDo not commit real file paths, hostnames, or internal tool names discovered while testing a suspected injection into a public PR or issue description.
  • PrivacyCredentials & tokensSubprocess output and error streams are a common place for secrets (API keys, tokens in env vars) to leak into logs; avoid logging raw stdout/stderr from a shelled-out command that could echo them back.

Safety notes

  • A successful OS command injection lets an attacker run arbitrary commands with the privileges of the running process, which can mean full remote code execution, data exfiltration, or lateral movement on the host.
  • AI assistants often shell out with a string-interpolated command (f-string, template literal, string concatenation) because it is the shortest path to invoking an external tool, without switching to the array-form API or validating input.
  • Even a fixed, non-attacker-controlled command name is not safe if an attacker can control one of its arguments — argument injection can still cause information disclosure or code execution depending on the command.

Privacy notes

  • Command injection proof-of-concept payloads and captured process output can expose real filesystem contents, environment variables, or credentials; use a sandboxed environment and redact captures before pasting them into a PR or issue.
  • Do not commit real file paths, hostnames, or internal tool names discovered while testing a suspected injection into a public PR or issue description.
  • Subprocess output and error streams are a common place for secrets (API keys, tokens in env vars) to leak into logs; avoid logging raw stdout/stderr from a shelled-out command that could echo them back.

Prerequisites

  • A pull request, diff, or snippet containing AI-generated or AI-edited code that builds a shell command string or invokes a subprocess/child process.
  • Knowledge of which values in the command or its arguments originate from user input, uploaded files, configuration, or other external systems.
  • Familiarity with the target language's array-form process APIs (subprocess, child_process, ProcessBuilder, or equivalent) so a shell-string call can be reviewed against a safer alternative.
  • Permission to block merge when untrusted input reaches a shell-parsed command without validation, or when a safer library alternative exists and was not used.

Schema details

Install type
copy
Troubleshooting
Yes
Collection metadata
Estimated setup
15 minutes
Difficulty
intermediate
Full copyable content
You are reviewing AI-generated code for OS command injection and argument
injection risk.

Rules:
1. Prefer a built-in library function or API over shelling out at all —
   for example a filesystem library's `mkdir`/`copy`/`remove` instead of
   invoking `mkdir`/`cp`/`rm` as a subprocess. If no untrusted input ever
   reaches a shell, injection is not possible.
2. When invoking an external program is unavoidable, use the array/list
   form of the process API (`subprocess.run([...], shell=False)`,
   Node's `execFile`/`spawn` with an argument array, Java's
   `ProcessBuilder`) so arguments are passed directly to the program
   without a shell parsing them — never build a single command string and
   pass it to a shell interpreter.
3. Flag any use of a shell-invoking call with `shell=True` (Python),
   `exec`/`execSync` given a string command (Node), `os.system`, backticks,
   or an equivalent shell-parsed call, when any part of the command or its
   arguments comes from user input, a file, or an external system.
4. Validate the command itself against an allowlist of permitted commands,
   and validate each argument with positive/allowlist validation (a
   regular expression of allowed characters and a bounded length) rather
   than a denylist of "dangerous" characters.
5. Treat this as argument injection even when the command name is fixed:
   if an attacker can control an argument's value (for example a flag like
   `--output=...` or `--help`), they can still change the program's
   behavior; use a `--` end-of-options delimiter or the library's
   equivalent where supported.
6. Confirm the process runs with the least privilege necessary for the
   task, not with elevated/root privileges inherited from the parent
   process, so a successful injection has the smallest possible blast
   radius.

About this resource

Purpose

Use these rules when an AI coding assistant writes or edits code that builds a shell command or invokes an external program. The goal is to stop a generated integration, build script, or file-processing feature from shipping a command injection hole because it works for the expected input and looks like ordinary subprocess code.

This is a review policy, not a command-injection tutorial. It tells reviewers what must be true about a generated change's process-invocation API, input validation, and privilege level before the change is safe to merge.

Review Inputs

Collect enough context to know what the process call actually does and where its inputs come from.

  • Every place the change builds a command string or invokes a subprocess, child process, or external program.
  • Which parts of the command (the program name, flags, or arguments) come from user input, an uploaded file, configuration, or another external system, versus values hardcoded by the developer.
  • Whether the call goes through a shell (a single string parsed by /bin/sh or cmd.exe) or the array/list form that bypasses shell parsing.
  • Whether a built-in library function could accomplish the same task without invoking an external program at all.

Avoid-The-Shell Rules

  • The strongest defense is not calling an OS command at all: prefer a language or framework library function (filesystem, archive, image, network libraries) over shelling out to an equivalent CLI tool.
  • When an external program is genuinely required, use the array/list form of the process API so the program and its arguments are passed directly to the OS without a shell interpreting metacharacters: subprocess.run([...], shell=False) in Python, execFile/spawn with an argument array in Node.js, ProcessBuilder with separate arguments in Java.
  • Flag shell=True, os.system, exec/execSync given a single string, backticks, or any API that hands a whole command line to a shell, whenever any part of that line is not a hardcoded literal.
  • Remember the language-specific distinction: some "exec" APIs (for example Java's Runtime.exec given a string) split on whitespace and invoke the first token directly without shell metacharacter support, while others genuinely invoke a shell — verify which behavior the specific API in the diff actually has before treating it as safe.

Input Validation And Argument Injection Rules

  • Validate the command itself against an allowlist of permitted programs; never let user input choose which program to run.
  • Validate each argument with positive/allowlist validation — an allowed character set and a maximum length — rather than trying to deny a list of "dangerous" characters (& | ; $ > < \ \ ! ' " ( )` and whitespace are common shell metacharacters, but a denylist is easy to miss a variant of).
  • Treat argument injection as a real risk even for a fixed command name: an attacker who controls an argument value can still pass an unexpected flag (for example turning a data argument into --help, --output=..., or a second target) and change the program's behavior.
  • Where the target program and library support it, use a -- end-of-options delimiter (or the equivalent convention) so attacker-controlled values cannot be interpreted as flags.
  • Escaping functions (for example PHP's escapeshellarg()) reduce risk but do not fully close argument injection; prefer array-form APIs and allowlist validation as the primary defenses, with escaping only as an additional layer when shelling out cannot be avoided at all.

Least-Privilege Rules

  • Run the process with the lowest privileges that accomplish the task, not with the privileges of a more powerful parent process (root, an admin service account, or a broad cloud IAM role).
  • Prefer a dedicated, isolated account or sandbox for a single narrow task over reusing a general-purpose privileged account for subprocess work.
  • Assume any successful injection will run with whatever privilege the process already has; least privilege limits the blast radius even when every other defense fails.

Merge Blockers

Block merge when any of these is true.

  • Untrusted input (user input, uploaded file content/name, external API response) reaches a shell-parsed command string (shell=True, os.system, string-form exec, backticks) without going through the array-form API instead.
  • A built-in library function could replace the external-program call entirely and was not used, with no documented reason for shelling out.
  • Command or argument values are validated with a denylist of "bad" characters instead of positive/allowlist validation.
  • A fixed command name is invoked with attacker-controlled arguments and no consideration of argument injection (unexpected flags, extra targets).
  • The subprocess runs with elevated or inherited privileges broader than the task requires.

Review Checklist

  • {"task": "Shell avoided where possible", "description": "A library function replaces the external-program call wherever one exists"}
  • {"task": "Array-form API used", "description": "Unavoidable process calls use the array/list form, not a shell-parsed command string"}
  • {"task": "Allowlist validation", "description": "Commands and arguments are validated against an allowlist, not a denylist of dangerous characters"}
  • {"task": "Argument injection considered", "description": "Attacker-controlled argument values can't be interpreted as unexpected flags, even for a fixed command"}
  • {"task": "Least privilege", "description": "The subprocess runs with the minimum privilege needed, not an inherited elevated account"}
  • {"task": "No secret leakage", "description": "Subprocess stdout/stderr isn't logged in a way that could echo back credentials or sensitive paths"}

AI Review Rules

AI assistants can write and review process-invocation code, but they should show their evidence.

  • Ask the assistant to list every place the change invokes an external program or builds a command string, and what API it uses for each.
  • Require the assistant to state whether each call goes through a shell or uses the array-form API, and to justify shelling out when a library alternative exists.
  • Have the assistant identify which parts of each command are attacker- or externally-influenced, and how those specific values are validated.
  • Do not let the assistant claim an escaping function alone makes a shell-parsed call safe; require the array-form API plus validation.
  • Re-run review after any change to how a command or its arguments are constructed, or to the account/privileges the process runs under.

Troubleshooting

  • Switching to the array-form API breaks a command that relied on shell features (globbing, pipes, redirection): implement the specific shell feature in code (expand the glob yourself, chain calls explicitly) rather than reintroducing a shell-parsed string for convenience.
  • Allowlist validation rejects a legitimate argument: widen the allowlist pattern deliberately and re-test with known-bad payloads, rather than switching to a denylist or removing validation.
  • A fixed-command call is flagged even though the command name can't change: check whether any argument is attacker-influenced; if so, this is legitimate argument-injection risk even with a hardcoded command name.
  • The subprocess needs elevated access for one specific operation: scope the elevation to that one operation (a narrowly-privileged helper, a capability, or a policy) instead of running the whole process with broad elevated privileges.

Duplicate And History Check

Before adding a new subprocess call, confirm the codebase does not already have a shared wrapper or library helper for this task. A generated change that shells out next to an existing safe wrapper, or reintroduces a string-form command where a validated array-form helper already exists, should be treated as suspicious — check whether the existing mechanism was simply not reused before adding a second, parallel, and possibly unsafe one.

Reference

Pattern Risk Fix
os.system(f"cmd {user_input}") Shell parses metacharacters in user_input subprocess.run(["cmd", user_input], shell=False)
exec("cmd " + userInput) (Node) String handed to /bin/sh -c execFile("cmd", [userInput]) or spawn with an array
escapeshellarg() alone Prevents command chaining, not argument injection Array-form API plus allowlist argument validation
Denylist of &, ` , ;`, etc. Easy to miss a metacharacter or encoding variant
Fixed command, attacker-controlled argument Argument injection (unexpected flags) -- end-of-options delimiter plus allowlist validation

Sources

  • OWASP OS Command Injection Defense Cheat Sheet
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command
  • OWASP Command Injection attack reference
  • Node.js child_process documentation
  • Python subprocess documentation — Security Considerations

Source citations

Add this badge to your README

Show that AI-Generated OS Command Injection Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/rules/ai-generated-command-injection-review-rules.svg)](https://heyclau.de/entry/rules/ai-generated-command-injection-review-rules)

How it compares

AI-Generated OS Command Injection Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

Source-backed rules for reviewing AI-generated code that builds or runs operating-system commands, shell invocations, or subprocesses before merge for command injection and argument injection risk, covering library alternatives to shelling out, array-form process APIs, allowlist input validation, and least-privilege execution.

Open dossier

Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions.

Open dossier

Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations.

Open dossier

Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDifferslourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Brand
Categoryrulesrulesrulesrules
Sourcesource-backedsource-backedsource-backedsource-backed
Authorlourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Added2026-07-152026-06-222026-07-152026-07-15
Platforms
Claude Code
Claude Code
Claude Code
Claude Code
Source repo
Safety notesA successful OS command injection lets an attacker run arbitrary commands with the privileges of the running process, which can mean full remote code execution, data exfiltration, or lateral movement on the host. AI assistants often shell out with a string-interpolated command (f-string, template literal, string concatenation) because it is the shortest path to invoking an external tool, without switching to the array-form API or validating input. Even a fixed, non-attacker-controlled command name is not safe if an attacker can control one of its arguments — argument injection can still cause information disclosure or code execution depending on the command.A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it.A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets. AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects. Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check.Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result. AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used. An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces.
Privacy notesCommand injection proof-of-concept payloads and captured process output can expose real filesystem contents, environment variables, or credentials; use a sandboxed environment and redact captures before pasting them into a PR or issue. Do not commit real file paths, hostnames, or internal tool names discovered while testing a suspected injection into a public PR or issue description. Subprocess output and error streams are a common place for secrets (API keys, tokens in env vars) to leak into logs; avoid logging raw stdout/stderr from a shelled-out command that could echo them back.CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards.IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue. Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders. Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied.Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system. Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit.
Prerequisites
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that builds a shell command string or invokes a subprocess/child process.
  • Knowledge of which values in the command or its arguments originate from user input, uploaded files, configuration, or other external systems.
  • Familiarity with the target language's array-form process APIs (subprocess, child_process, ProcessBuilder, or equivalent) so a shell-string call can be reviewed against a safer alternative.
  • Permission to block merge when untrusted input reaches a shell-parsed command without validation, or when a safer library alternative exists and was not used.
  • A pull request, diff, or snippet containing an AI-generated or AI-edited request handler, form, or fetch call with enough context to know how the user is authenticated.
  • Knowledge of how the framework manages sessions and CSRF tokens, since built-in protection, cookie defaults, and token helpers differ between frameworks.
  • Awareness of which routes change state and which are read-only, so the review can focus on unsafe methods.
  • Permission to block merge when a cookie-authenticated state change ships without a CSRF defense.
  • A pull request, diff, or snippet containing an AI-generated or AI-edited endpoint, resolver, or data-access function that accepts an object identifier from the request.
  • Knowledge of the application's ownership/permission model, since what counts as "authorized" differs between single-owner resources, shared resources, and admin-only resources.
  • Access to at least two distinct user accounts (or awareness of how to create them) to verify cross-account access is actually denied, not just assumed.
  • Permission to block merge when an object-level authorization check is missing, inconsistent, or client-trusted.
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that deserializes, unpickles, unmarshals, or loads structured data from an external source.
  • Knowledge of which deserialization APIs the language/framework in use considers "safe" versus "native/unsafe" (this differs significantly between Python, Java, PHP, Ruby, and JS/Node).
  • Awareness of which data sources in the application are genuinely untrusted (client-supplied, cross-service, or user-uploaded) versus fully internal and controlled.
  • Permission to block merge when untrusted data reaches a native deserialization API without an allowlist or integrity check.
Install
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.