Very impressive PoC. The exploit, meanwhile... Seriously? `grep; rm -rf ~` is parsed as `grep` followed by a bunch of stuff, so just ask the user if `grep` is allowed and execute it? Was their permission system vibe coded? Gross incompetence from whoever was responsible for allowing that into the code base.