From 0a7a869ad47927e1d19b478d9174bd29478603c1 Mon Sep 17 00:00:00 2001
From: sickn33 <sickn33@users.noreply.github.com>
Date: Tue, 7 Apr 2026 20:16:53 +0200
Subject: [PATCH] fix(security): Avoid shelling curl command

---
 tools/scripts/restore_vibeship_skills.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tools/scripts/restore_vibeship_skills.js b/tools/scripts/restore_vibeship_skills.js
index 21b478b1..55402c43 100644
--- a/tools/scripts/restore_vibeship_skills.js
+++ b/tools/scripts/restore_vibeship_skills.js
@@ -28,7 +28,11 @@ function runCommand(cmd) {
 }
 
 function fetchText(url) {
-  return runCommand(`curl -fsSL --max-time 30 ${JSON.stringify(url)}`);
+  return cp.execFileSync("curl", ["-fsSL", "--max-time", "30", url], {
+    encoding: "utf8",
+    maxBuffer: 32 * 1024 * 1024,
+    cwd: ROOT,
+  });
 }
 
 function parseOptionalYaml(relPath) {