supertag-cli

The Tana Webhook Server component (part of the overall CLI, but can be run via `supertag server start`) is designed to expose API endpoints without authentication. If this server is publicly exposed on the internet without additional security measures (like a reverse proxy with authentication or strict firewall rules), it constitutes a critical security vulnerability, allowing unauthorized access to query and potentially manipulate Tana data. The tool itself uses `child_process.spawn` for specific, controlled system commands (e.g., `zip`, `unzip`, `ls`, or daemonization), and `JSON.parse` on user input, which may introduce risks if not handled robustly. `Playwright` is used for browser automation in the `supertag-export` part, which could expose to browser vulnerabilities, though it's typically for local authentication flow. When run locally and not exposed, the risks are significantly mitigated.