From b23860a54ce91cfbe59258332611735d64ddbdd0 Mon Sep 17 00:00:00 2001
From: Pragmatic Software <pragma78@gmail.com>
Date: Sun, 25 Jul 2021 18:54:07 -0700
Subject: [PATCH] Plugin/RunCommand: update header with comments

---
 lib/PBot/Plugin/RunCommand.pm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/PBot/Plugin/RunCommand.pm b/lib/PBot/Plugin/RunCommand.pm
index ba1093f1..3c74e817 100644
--- a/lib/PBot/Plugin/RunCommand.pm
+++ b/lib/PBot/Plugin/RunCommand.pm
@@ -1,6 +1,21 @@
 # File: RunCommand.pm
 #
 # Purpose: Runs a command, streaming each line of output in real-time.
+#
+# WARNING: The `runcmd` will allow a user to run any command on your system. Do
+# not give out the `can-runcmd` capability to anyone you do not trust 100%.
+#
+# Consider making a locked-down factalias instead; i.e.:
+#
+#   factalias ls runcmd ls $args
+#   factset ls cap-override can-runcmd
+#   factset ls locked 1
+#
+# The above will create an `ls` alias that can only run `runcmd ls $args` and
+# cannot be modified by anybody. The cap-override is necessary so the alias
+# itself has permission to use `runcmd` regardless of whether the user has the
+# `can-runcmd` capability.
+
 
 # SPDX-FileCopyrightText: 2021 Pragmatic Software <pragma78@gmail.com>
 # SPDX-License-Identifier: MIT