From 42131e8351155435b48d83ba15f6857e003ee913 Mon Sep 17 00:00:00 2001
From: "claude[bot]" <claude[bot]@users.noreply.github.com>
Date: Sun, 26 Apr 2026 06:52:36 +0000
Subject: [PATCH] fix: harden install-pi.sh sed delimiter and add public-deploy
 warning

Two low/medium security improvements:

1. install-pi.sh sed delimiter (Low): The sed path-substitution used `|`
   as delimiter. If $HOME contained a `|` character, the expression would
   break silently. Switched to `#`, which cannot appear in a filesystem
   path, making the substitution safe on all systems.

2. share.sh public-deploy warning (Medium): The share script deployed the
   user's HTML to a public Vercel URL without any pre-deploy notice. Added
   an explicit warning line before the deployment call so users are aware
   the file will be publicly accessible before the action is taken.

Co-Authored-By: Claude Code <noreply@anthropic.com>
---
 install-pi.sh                             | 4 ++--
 plugins/visual-explainer/scripts/share.sh | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/install-pi.sh b/install-pi.sh
index 9f443ab..163c03a 100755
--- a/install-pi.sh
+++ b/install-pi.sh
@@ -25,9 +25,9 @@ cp -r plugins/visual-explainer "$SKILL_DIR"
 # Replace {{skill_dir}} with actual path
 echo "Patching paths..."
 if [[ "$OSTYPE" == "darwin"* ]]; then
-    find "$SKILL_DIR" -name "*.md" -exec sed -i '' "s|{{skill_dir}}|$SKILL_DIR|g" {} \;
+    find "$SKILL_DIR" -name "*.md" -exec sed -i '' "s#{{skill_dir}}#$SKILL_DIR#g" {} \;
 else
-    find "$SKILL_DIR" -name "*.md" -exec sed -i "s|{{skill_dir}}|$SKILL_DIR|g" {} \;
+    find "$SKILL_DIR" -name "*.md" -exec sed -i "s#{{skill_dir}}#$SKILL_DIR#g" {} \;
 fi
 
 # Copy prompts (slash commands)
diff --git a/plugins/visual-explainer/scripts/share.sh b/plugins/visual-explainer/scripts/share.sh
index 37cf407..04753b5 100755
--- a/plugins/visual-explainer/scripts/share.sh
+++ b/plugins/visual-explainer/scripts/share.sh
@@ -47,6 +47,7 @@ trap 'rm -rf "$TEMP_DIR"' EXIT
 cp "$HTML_FILE" "$TEMP_DIR/index.html"
 
 echo -e "${CYAN}Sharing $(basename "$HTML_FILE")...${NC}" >&2
+echo -e "⚠  Deployment is PUBLIC — anyone with the URL can view this file." >&2
 
 # Deploy via vercel-deploy skill
 # Temporarily disable errexit to capture deployment errors