fix: use subprocess instead of os.system in analyze.py (#1289)

The data analysis skill executes shell commands using os
Resolves V-001

Co-authored-by: orbisai0security <orbisai0security@users.noreply.github.com>

scripts/check.py

@@ -12,7 +12,7 @@ from typing import Optional
 def run_command(command: list[str]) -> Optional[str]:
     """Run a command and return trimmed stdout, or None on failure."""
     try:
-        result = subprocess.run(command, capture_output=True, text=True, check=True)
+        result = subprocess.run(command, capture_output=True, text=True, check=True, shell=False)
     except (OSError, subprocess.CalledProcessError):
         return None
     return result.stdout.strip() or result.stderr.strip()

skills/public/data-analysis/scripts/analyze.py

@@ -11,6 +11,7 @@ import json
 import logging
 import os
 import re
+import subprocess
 import sys
 import tempfile
 
@@ -21,13 +22,13 @@ try:
     import duckdb
 except ImportError:
     logger.error("duckdb is not installed. Installing...")
-    os.system(f"{sys.executable} -m pip install duckdb openpyxl -q")
+    subprocess.run([sys.executable, "-m", "pip", "install", "duckdb", "openpyxl", "-q"], check=True)
     import duckdb
 
 try:
     import openpyxl  # noqa: F401
 except ImportError:
-    os.system(f"{sys.executable} -m pip install openpyxl -q")
+    subprocess.run([sys.executable, "-m", "pip", "install", "openpyxl", "-q"], check=True)
 
 # Cache directory for persistent DuckDB databases
 CACHE_DIR = os.path.join(tempfile.gettempdir(), ".data-analysis-cache")