@tjamescouch/agentchat 0.18.2 → 0.18.3

package/bin/agentchat.js

@@ -1581,8 +1581,7 @@ if (!firstArg || !subcommands.includes(firstArg)) {
       : `Connect to agentchat and introduce yourself in #general. Read SKILL.md if you need help.`;
 
     const claude = spawn('claude', [prompt], {
-      stdio: 'inherit',
-      shell: true
+      stdio: 'inherit'
     });
 
     claude.on('error', (err) => {

package/lib/daemon.js

@@ -25,11 +25,25 @@ const RECONNECT_DELAY = 5000; // 5 seconds
 const MAX_RECONNECT_TIME = 10 * 60 * 1000; // 10 minutes default
 const OUTBOX_POLL_INTERVAL = 500; // 500ms
 
+/**
+ * Validate instance name to prevent path traversal
+ * Only allows alphanumeric, hyphens, and underscores
+ */
+function validateInstanceName(name) {
+  if (!name || typeof name !== 'string') {
+    return 'default';
+  }
+  // Strip any path separators and dangerous characters
+  const sanitized = name.replace(/[^a-zA-Z0-9_-]/g, '');
+  return sanitized || 'default';
+}
+
 /**
  * Get paths for a daemon instance
  */
 export function getDaemonPaths(instanceName = DEFAULT_INSTANCE) {
-  const instanceDir = path.join(DAEMONS_DIR, instanceName);
+  const safeName = validateInstanceName(instanceName);
+  const instanceDir = path.join(DAEMONS_DIR, safeName);
   return {
     dir: instanceDir,
     inbox: path.join(instanceDir, 'inbox.jsonl'),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tjamescouch/agentchat",
-  "version": "0.18.2",
+  "version": "0.18.3",
   "description": "Real-time IRC-like communication protocol for AI agents",
   "main": "lib/client.js",
   "files": [