From d09c57ae1279a4ef03e76d3aa4e6d1f029465797 Mon Sep 17 00:00:00 2001
From: root <root@DESKTOP-V9DGVF3.localdomain>
Date: Wed, 21 Jan 2026 13:48:07 +0400
Subject: [PATCH] fix: prevent shell injection in python hooks

---
 src/cli/install.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/cli/install.rs b/src/cli/install.rs
index ba03e5b..55ce2d9 100644
--- a/src/cli/install.rs
+++ b/src/cli/install.rs
@@ -380,7 +380,7 @@ if __name__ == "__main__":
             "matcher": "startup|resume",
             "hooks": [{
                 "type": "command",
-                "command": format!("python3 \"{}\"", watch_py.display()),
+                "command": ["python3", watch_py.display().to_string()],
                 "timeout": 10
             }]
         });
@@ -399,7 +399,7 @@ if __name__ == "__main__":
         let hook_entry = serde_json::json!({
             "hooks": [{
                 "type": "command",
-                "command": format!("python3 \"{}\"", kill_py.display()),
+                "command": ["python3", kill_py.display().to_string()],
                 "timeout": 10
             }]
         });