fix: use subprocess instead of os.system in analyze.py (#1289)

The data analysis skill executes shell commands using os Resolves V-001 Co-authored-by: orbisai0security <orbisai0security@users.noreply.github.com>
2026-04-03 06:12:14 +08:00 · 2026-03-24 18:12:03 +05:30
parent 4b15f14647
commit 14a3fa5290
2 changed files with 4 additions and 3 deletions
--- a/scripts/check.py
+++ b/scripts/check.py
@@ -12,7 +12,7 @@ from typing import Optional
 def run_command(command: list[str]) -> Optional[str]:
    """Run a command and return trimmed stdout, or None on failure."""
    try:
-        result = subprocess.run(command, capture_output=True, text=True, check=True)
+        result = subprocess.run(command, capture_output=True, text=True, check=True, shell=False)
    except (OSError, subprocess.CalledProcessError):
        return None
    return result.stdout.strip() or result.stderr.strip()
--- a/skills/public/data-analysis/scripts/analyze.py
+++ b/skills/public/data-analysis/scripts/analyze.py
@@ -11,6 +11,7 @@ import json
 import logging
 import os
 import re
+import subprocess
 import sys
 import tempfile

@@ -21,13 +22,13 @@ try:
    import duckdb
 except ImportError:
    logger.error("duckdb is not installed. Installing...")
-    os.system(f"{sys.executable} -m pip install duckdb openpyxl -q")
+    subprocess.run([sys.executable, "-m", "pip", "install", "duckdb", "openpyxl", "-q"], check=True)
    import duckdb

 try:
    import openpyxl  # noqa: F401
 except ImportError:
-    os.system(f"{sys.executable} -m pip install openpyxl -q")
+    subprocess.run([sys.executable, "-m", "pip", "install", "openpyxl", "-q"], check=True)

 # Cache directory for persistent DuckDB databases
 CACHE_DIR = os.path.join(tempfile.gettempdir(), ".data-analysis-cache")