🔒 fix: Command Injection vulnerability in install-manager.ts

- Changed `shell: true` to `shell: false` in `spawn` calls within `electron/main/backend/install-manager.ts`.
- Updated `AGENTS.md` documentation to reflect the security best practice.
- Verified that the fix prevents command injection using a reproduction script.

Co-authored-by: vmomenv <51269338+vmomenv@users.noreply.github.com>

AGENTS.md

@@ -285,7 +285,7 @@ const execParams =
 
 // 生成进程
 const child = spawn(execCommand, execParams, {
-  shell: true,
+  shell: false,
   env: process.env,
 });
 

electron/main/backend/install-manager.ts

@@ -52,7 +52,7 @@ const runCommandCapture = async (execCommand: string, execParams: string[]) => {
   return await new Promise<{ code: number; stdout: string; stderr: string }>(
     (resolve) => {
       const child = spawn(execCommand, execParams, {
-        shell: true,
+        shell: false,
         env: process.env,
       });
 
@@ -340,7 +340,7 @@ async function processNextInQueue() {
       stderr: string;
     }>((resolve, reject) => {
       const child = spawn(task.execCommand, task.execParams, {
-        shell: true,
+        shell: false,
         env: process.env,
       });
       task.install_process = child;
@@ -484,7 +484,7 @@ ipcMain.on("remove-installed", async (_event, pkgname: string) => {
     execCommand,
     [...execParams, "aptss", "remove", pkgname],
     {
-      shell: true,
+      shell: false,
       env: process.env,
     },
   );