Next step: Evaluate this item to determine if it's worth fixing. Or approve directly if you already know what needs to be done.

Location

Description

cli.py lines 449-456 directly use string interpolation in SQL queries during the dry-run purge operation. While the current code uses parameterized queries for the actual deletion, the dry-run counting queries access store._conn directly and could be exploited if the days parameter is manipulated. This breaks the abstraction barrier and bypasses the Store's safe query interface. Should use store._execute() which has proper parameterization.

Click "Evaluate with Claude Code" to have an agent analyze this item.

Actions