Skip to content

feat: add deeplink controls and Raycast extension #1838

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
itsbryanman wants to merge 3 commits into
base: main
Choose a base branch
from

fix: address greptile review comments (P2 fixes)

34ee35b
Select commit
Loading
Failed to load commit list.
Open

feat: add deeplink controls and Raycast extension #1838

fix: address greptile review comments (P2 fixes)
34ee35b
Select commit
Loading
Failed to load commit list.
Superagent Security / Security scan required action May 18, 2026 in 1m 5s

PR requires security review

2 security concern(s) detected.

Details

  1. [MEDIUM] External deeplinks can control recording and devices without confirmation (apps/desktop/src-tauri/src/deeplink_actions.rs:352)
    Require explicit user opt-in and/or confirmation before executing externally triggered recording and device-control deeplinks, especially record/start, record/stop, microphone off, and camera off. Consider routing Raycast through an authenticated local IPC/token flow, or gate these deeplinks behind a setting with clear UI and rate limiting.

  2. [LOW] NPM script executes latest Raycast CLI outside the lockfile (apps/raycast/package.json:34)
    Use the pinned local dependency from the lockfile instead of @latest, for example the package's local Raycast CLI via pnpm exec, or pin the npx invocation to the reviewed version such as npx @raycast/[email protected] lint.

View more details on Superagent Security