Yea that's a good point. You really don't want to have someone else access your clarity installation. This takes URL parameters and runs them on the command line. Probably the most insecure thing invented by man. Hide it will.
No, the most insecure things invented by people take URL parameters from unauthenticated requests and run them on the command line.
I didn't audit the code or anything, but all the request processing is gated by a function that requires HTTP basic-auth, which is at least hard to screw up. To accidentally add a function that bypasses auth, they'd have to write an entire new request handler chain.
That said, I noticed the same thing (popen), and if I was going to integrate this with our product, I'd hardcode the command line.
