Bandit-Clean Pwnagotchi Plugins: How `subprocess` Goes From Risk to Routine
Pwnagotchi plugins live one shell=True away from local code execution. Walking through the hardening of bt-tether-multi against Bandit B602/B603/B607: full-path resolution with shutil.which(), argv-list invocations, MAC and name validation, and the # nosec discipline. The patterns generalize to anything that shells out from Python.
Continue reading