diff --git a/agents/doc-updater.md b/agents/doc-updater.md
index a33a2e7..665aae5 100644
--- a/agents/doc-updater.md
+++ b/agents/doc-updater.md
@@ -27,8 +27,8 @@ You are a documentation specialist focused on keeping codemaps and documentation
 
 ### Analysis Commands
 ```bash
-# Analyze TypeScript project structure
-npx ts-morph
+# Analyze TypeScript project structure (run custom script using ts-morph library)
+npx tsx scripts/codemaps/generate.ts
 
 # Generate dependency graph
 npx madge --image graph.svg src/
diff --git a/scripts/lib/utils.js b/scripts/lib/utils.js
index 23172c3..4b07e37 100644
--- a/scripts/lib/utils.js
+++ b/scripts/lib/utils.js
@@ -223,15 +223,23 @@ function appendFile(filePath, content) {
 
 /**
  * Check if a command exists in PATH
+ * Uses execFileSync to prevent command injection
  */
 function commandExists(cmd) {
+  // Validate command name - only allow alphanumeric, dash, underscore, dot
+  if (!/^[a-zA-Z0-9_.-]+$/.test(cmd)) {
+    return false;
+  }
+
   try {
     if (isWindows) {
-      execSync(`where ${cmd}`, { stdio: 'pipe' });
+      // Use spawnSync to avoid shell interpolation
+      const result = spawnSync('where', [cmd], { stdio: 'pipe' });
+      return result.status === 0;
     } else {
-      execSync(`which ${cmd}`, { stdio: 'pipe' });
+      const result = spawnSync('which', [cmd], { stdio: 'pipe' });
+      return result.status === 0;
     }
-    return true;
   } catch {
     return false;
   }
@@ -239,6 +247,13 @@ function commandExists(cmd) {
 
 /**
  * Run a command and return output
+ *
+ * SECURITY NOTE: This function executes shell commands. Only use with
+ * trusted, hardcoded commands. Never pass user-controlled input directly.
+ * For user input, use spawnSync with argument arrays instead.
+ *
+ * @param {string} cmd - Command to execute (should be trusted/hardcoded)
+ * @param {object} options - execSync options
  */
 function runCommand(cmd, options = {}) {
   try {
diff --git a/scripts/setup-package-manager.js b/scripts/setup-package-manager.js
index f765891..1a6a8fa 100644
--- a/scripts/setup-package-manager.js
+++ b/scripts/setup-package-manager.js
@@ -89,8 +89,8 @@ function detectAndShow() {
   console.log('');
   console.log('Commands:');
   console.log(`  Install: ${pm.config.installCmd}`);
-  console.log(`  Run script: ${pm.config.runCmd} <script>`);
-  console.log(`  Execute binary: ${pm.config.execCmd} <binary>`);
+  console.log(`  Run script: ${pm.config.runCmd} [script-name]`);
+  console.log(`  Execute binary: ${pm.config.execCmd} [binary-name]`);
   console.log('');
 }