install-x

The server executes dynamically named shell scripts (e.g., `library_name.sh`) based on user input for `install(library_name)`. While the `is_supported` check attempts to validate `library_name`, the execution of arbitrary shell scripts in `src/install_x/install/` remains a significant risk if the naming convention is exploited or if a malicious package is registered on PyPI/npm/crates.io with a name matching a local trusted script. Many installation scripts utilize `sudo apt install` and `wget` without explicit content hash verification, `git clone` from external repositories, and `pip install` from direct GitHub links, leading to high exposure to supply chain attacks and privilege escalation if external sources are compromised. The implementation of `_install_python_package` incorrectly attempts to execute a shell script for *any* detected Python package, even simple PyPI libraries like 'numpy' that do not have corresponding `.sh` scripts, which is a functional bug, but also slightly mitigates arbitrary script execution for non-existent `.sh` files.