🤖 security: escape scriptsDir in discovery to prevent shell injection

Change-Id: I53dd13c27711e3b9e013c37fd917f270d2df969f
Signed-off-by: Thomas Kosiewski <tk@coder.com>

Author: ThomasK33

src/utils/scripts/discovery.ts

@@ -99,9 +99,11 @@ async function discoverScriptsInternal(
   // 3. Print separator + filename
   // 4. Print executable status
   // 5. Print first 20 lines (for description extraction)
+  // Note: We quote paths to prevent shell injection
+  const safeScriptsDir = scriptsDir.replace(/'/g, "'\\''");
   const command = `
-    if [ -d "${scriptsDir}" ]; then
-      for f in "${scriptsDir}"/*; do
+    if [ -d '${safeScriptsDir}' ]; then
+      for f in '${safeScriptsDir}'/*; do
         [ -f "$f" ] || continue
         echo "${separator}$(basename "$f")"
         if [ -x "$f" ]; then echo "IS_EXECUTABLE:1"; else echo "IS_EXECUTABLE:0"; fi