hooks/check-token.sh lines 81-82 interpolate the refreshed token directly into a sed replacement expression using | as the delimiter:
sed -i '' "s|^${key}: .*|${key}: \"${val}\"|" "$file"If ${val} (the new access token or refresh token) contains |, &, or \, sed will either error out or perform an incorrect substitution, potentially corrupting the user's .claude/spotify-ads-api.local.md settings file and breaking subsequent API calls. Spotify OAuth tokens are generally base64url-safe today, but this is unsafe input handling at a trust boundary and could break silently if the token format ever changes.
Additionally, line 91 uses ${modified_command//$access_token/$new_token} — the pattern side of bash's // expansion interprets glob metacharacters (*, ?, [), so a token containing those characters would not substitute correctly.
Suggested fix: escape sed metacharacters in ${val} before interpolation, or write the file using a safer method (e.g., printf + mv with a temp file, or yq/python for the YAML frontmatter).
hooks/check-token.shlines 81-82 interpolate the refreshed token directly into asedreplacement expression using|as the delimiter:If
${val}(the new access token or refresh token) contains|,&, or\, sed will either error out or perform an incorrect substitution, potentially corrupting the user's.claude/spotify-ads-api.local.mdsettings file and breaking subsequent API calls. Spotify OAuth tokens are generally base64url-safe today, but this is unsafe input handling at a trust boundary and could break silently if the token format ever changes.Additionally, line 91 uses
${modified_command//$access_token/$new_token}— the pattern side of bash's//expansion interprets glob metacharacters (*,?,[), so a token containing those characters would not substitute correctly.Suggested fix: escape sed metacharacters in
${val}before interpolation, or write the file using a safer method (e.g.,printf+mvwith a temp file, oryq/pythonfor the YAML frontmatter).