Source: Security review for v0.2.0.
`src-tauri/src/commands/ai.rs` — `install_ollama` shells out to `brew install --cask ollama` without a UI confirmation. Arguments are static so there's no command injection, but it runs with the user's full Homebrew privileges and a malicious tap or compromised formula could execute arbitrary code.
Recommendation:
- Show a UI confirmation modal before invoking `brew`.
- Surface the exact command and an option for the user to run it themselves.
- Consider a "manual install" link as the safer default.
Touched files: `src-tauri/src/commands/ai.rs`, `src/components/settings/AiSettings.tsx` (or wherever the install button lives)
Source: Security review for v0.2.0.
`src-tauri/src/commands/ai.rs` — `install_ollama` shells out to `brew install --cask ollama` without a UI confirmation. Arguments are static so there's no command injection, but it runs with the user's full Homebrew privileges and a malicious tap or compromised formula could execute arbitrary code.
Recommendation:
Touched files: `src-tauri/src/commands/ai.rs`, `src/components/settings/AiSettings.tsx` (or wherever the install button lives)