---
name: warn-eval-exec
enabled: true
event: bash
pattern: (^|\s)(eval|exec)\s*\(
action: warn
---

⚠️ **eval()/exec() detected**

Using eval() or exec() on untrusted input is a code injection risk.
Consider safer alternatives:
- ast.literal_eval() for Python literals
- json.loads() for JSON
- Function constructors with explicit scope for JS