Public CLI helper exposes arbitrary command execution (pub fn run_command(...)) #21
Description
Summary
crates/code-mesh-cli/src/cmd/utils.rs#L38 exposes a pub command runner that executes arbitrary system commands. Because it’s public and appears callable across crates, this enables untrusted input to reach the OS, which is a command-execution risk.
Why this matters
This violates the principle of least privilege (function is pub without any need) and this can allow an attacker to run arbitrary commands.
Suggestions
This could be changed to pub(crate) from from pub or even private.