From 14a3fa5290d501af371b335eafa46b5e9f75367e Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Tue, 24 Mar 2026 18:12:03 +0530 Subject: [PATCH] fix: use subprocess instead of os.system in analyze.py (#1289) The data analysis skill executes shell commands using os Resolves V-001 Co-authored-by: orbisai0security --- scripts/check.py | 2 +- skills/public/data-analysis/scripts/analyze.py | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/scripts/check.py b/scripts/check.py index 3187dad..69b6e2d 100644 --- a/scripts/check.py +++ b/scripts/check.py @@ -12,7 +12,7 @@ from typing import Optional def run_command(command: list[str]) -> Optional[str]: """Run a command and return trimmed stdout, or None on failure.""" try: - result = subprocess.run(command, capture_output=True, text=True, check=True) + result = subprocess.run(command, capture_output=True, text=True, check=True, shell=False) except (OSError, subprocess.CalledProcessError): return None return result.stdout.strip() or result.stderr.strip() diff --git a/skills/public/data-analysis/scripts/analyze.py b/skills/public/data-analysis/scripts/analyze.py index a0530d0..b38ae47 100644 --- a/skills/public/data-analysis/scripts/analyze.py +++ b/skills/public/data-analysis/scripts/analyze.py @@ -11,6 +11,7 @@ import json import logging import os import re +import subprocess import sys import tempfile @@ -21,13 +22,13 @@ try: import duckdb except ImportError: logger.error("duckdb is not installed. Installing...") - os.system(f"{sys.executable} -m pip install duckdb openpyxl -q") + subprocess.run([sys.executable, "-m", "pip", "install", "duckdb", "openpyxl", "-q"], check=True) import duckdb try: import openpyxl # noqa: F401 except ImportError: - os.system(f"{sys.executable} -m pip install openpyxl -q") + subprocess.run([sys.executable, "-m", "pip", "install", "openpyxl", "-q"], check=True) # Cache directory for persistent DuckDB databases CACHE_DIR = os.path.join(tempfile.gettempdir(), ".data-analysis-cache")