[SECURITY] Detector tools invoke fixed commands through the shell

[gkemqk]

Summary

Two detector helper scripts use shell-mediated command execution for fixed, local discovery commands:

• tools/gpu_display_detector.py calls subprocess.check_output(lspci, shell=True)
• tools/os_detector.py calls subprocess.check_output(dir, shell=True)

Impact

These are local utility scripts rather than exposed services, so impact is low, but shell execution is unnecessary here and expands the execution surface. It also makes the OS detector depend on shell-specific behavior for a simple directory listing.

Reproduction

Search the current main branch for shell=True in these files:

rg -n 'shell=True' tools/gpu_display_detector.py tools/os_detector.py

Expected behavior

Fixed local commands should avoid shell mediation. The GPU detector can call lspci as an argv list, and the OS detector can inspect the current directory with Python stdlib APIs.

Proposed fix

Remove shell=True, use subprocess.check_output([lspci], ...) for GPU detection, use os.listdir(.) for the OS badge keyword scan, and add an AST regression test preventing these detector tools from reintroducing shell=True.

[SimoneMariaRomeo]

Fix PR opened: #4866

It removes shell-mediated execution from both detector helpers, switches the OS scan to os.listdir("."), and adds an AST regression so these files cannot reintroduce shell=True.