Please do not open a public GitHub issue for security matters.

Use GitHub Private Security Advisories to report privately. You will receive a response within 7 days.

xsh loads and executes shell code from user-provided library repositories. Library authors are responsible for validating inputs within their utilities. The xsh framework itself does not sanitize arguments passed to library utilities.