Added warning to avoid command substitution in run_shell_command tool… (#9934)

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

packages/core/src/utils/shell-utils.ts

@@ -266,6 +266,11 @@ export function detectCommandSubstitution(command: string): boolean {
         return true;
       }
 
+      // >(...) process substitution - works unquoted only (not in double quotes)
+      if (char === '>' && nextChar === '(' && !inDoubleQuotes && !inBackticks) {
+        return true;
+      }
+
       // Backtick command substitution - check for opening backtick
       // (We track the state above, so this catches the start of backtick substitution)
       if (char === '`' && !inBackticks) {
@@ -319,7 +324,7 @@ export function checkCommandPermissions(
       allAllowed: false,
       disallowedCommands: [command],
       blockReason:
-        'Command substitution using $(), <(), or >() is not allowed for security reasons',
+        'Command substitution using $(), `` ` ``, <(), or >() is not allowed for security reasons',
       isHardDenial: true,
     };
   }