sonicoder / code /hooks /builtins /warn-eval-exec.local.md
R-Kentaren's picture
feat(agent): add Claude Code-style agent, skills, slash-commands, hooks, todos, sandboxed workspace, and full-stack scaffolding
81aa0b5 verified
|
Raw
History Blame
349 Bytes
metadata
name: warn-eval-exec
enabled: true
event: bash
pattern: (^|\s)(eval|exec)\s*\(
action: warn

⚠️ eval()/exec() detected

Using eval() or exec() on untrusted input is a code injection risk. Consider safer alternatives:

  • ast.literal_eval() for Python literals
  • json.loads() for JSON
  • Function constructors with explicit scope for JS