[Security] exec() usage — potential command injection surface

Found via SkillFence scan (npmjs.com/package/skillfence). exec() calls in client.ts, command.ts, index.ts could be command injection vectors if user input reaches them unsanitized. Recommend using execFile() with explicit args instead. Scan: npx skillfence scan . (Verdict: BLOCK, 45 findings)