convert-url-to-nextjs

This module is primarily a capture orchestrator/validator. It does not itself show intrinsic malware behavior (no hidden exfiltration, persistence, or covert operations). However, it contains a high-impact execution sink: it runs a caller-supplied command string via `sh -c`, and it also exports sensitive file-path targets to that command. If --browser-command or BROWSER_CAPTURE_CMD can be influenced by an attacker, this becomes arbitrary command execution. Separately, --root is not constrained, enabling writes to attacker-chosen filesystem locations. Treat this script as safe only when browser_command and root are fully trusted and controlled by the caller.