From d6770d2ae9baad3f50454b3ddbf5eb0df9e5e667 Mon Sep 17 00:00:00 2001
From: "MD. MOHIBUR RAHMAN"
 <35300157+mrpmohiburrahman@users.noreply.github.com>
Date: Tue, 24 Feb 2026 05:06:10 +0600
Subject: [PATCH] fix(cli): escape executables in shell autocompletion to
 prevent command injection

---
 packages/cli/src/ui/hooks/useShellCompletion.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/cli/src/ui/hooks/useShellCompletion.ts b/packages/cli/src/ui/hooks/useShellCompletion.ts
index 2329f0d67c..23f04aee4a 100644
--- a/packages/cli/src/ui/hooks/useShellCompletion.ts
+++ b/packages/cli/src/ui/hooks/useShellCompletion.ts
@@ -432,7 +432,7 @@ export function useShellCompletion({
           .slice(0, MAX_SHELL_SUGGESTIONS)
           .map((cmd) => ({
             label: cmd,
-            value: cmd,
+            value: escapeShellPath(cmd),
             description: 'command',
           }));
       } else {