The @pensar/apex package version 0.0.58 and below contains an OS command injection vulnerability in the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts improperly constructs shell commands by concatenating unsanitized user input from extensions array and url parameter. These values are passed directly to Node.js child_process.exec() function, which spawns a shell that interprets shell metacharacters. This vulnerability allows attackers to execute arbitrary OS commands with the privileges of the running process.