wildlife2_client

The project uses environment variables or Streamlit secrets for sensitive API keys (e.g., OpenAI, DigitalOcean Spaces, Database), which is good practice. External tools (`exiftool`, `ogr2ogr`) are invoked via `subprocess.run`; while using lists for commands reduces shell injection risk, reliance on external input for file paths or connection strings still poses a potential risk if not thoroughly sanitized. `torch.load` is used for model loading, which can be vulnerable to arbitrary code execution if model files are untrusted; the `load_speciesnet` function offers an optional SHA256 checksum validation to mitigate this. `ast.literal_eval` is used for parsing data, which is generally safer than `eval()` but should still be used with caution for untrusted inputs. Overall, common modern application security practices are followed for secrets, but external dependencies introduce typical supply-chain and runtime execution risks that require careful management of trusted sources.