fix: sanitize subprocess call in generate_snapshots.py

[orbisai0security]

Summary

Fix critical severity security issue in tests/snapshots/generate_snapshots.py.

Vulnerability

Field	Value
ID	V-001
Severity	CRITICAL
Scanner	multi_agent_ai
Rule	V-001
File	tests/snapshots/generate_snapshots.py:32

Description: The Python test script uses subprocess.call() with shell=True, which executes commands through the system shell and interprets shell metacharacters. At line 32, a 'command' variable is passed directly to the shell without sanitization. If this variable contains or is influenced by external data (environment variables, configuration files, command-line arguments), attackers can inject arbitrary shell commands using operators like semicolons, pipes, or command substitution.

Changes

• tests/snapshots/generate_snapshots.py

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

[keith-hall]

Thanks for your contribution. One small concern before merging, see the inline comment.

[orbisai0security]

✅ Changes Applied

I've updated the code based on your feedback:

Addressing @keith-hall's review comment: the arguments parameter in generate_snapshot is currently a plain string inserted as a single list element. If it contained a space (e.g., a flag with a value like --some-flag value), it would be passed as one token to the subprocess instead of two separate arguments, causing incorrect behavior.

The fix:

1. Add from typing import Iterable and add type hints (name: str, arguments: Iterable[str]) to generate_snapshot.
2. Use *arguments to unpack the iterable into the command list.
3. Update the call site in generate_style_snapshot to pass ["--style={}".format(style)] (a list) instead of a bare string.

Files modified:

• tests/snapshots/generate_snapshots.py

The changes have been pushed to this PR branch. Please review!