diff --git a/skills/company-research/scripts/compile_report.mjs b/skills/company-research/scripts/compile_report.mjs
index 2759c69..bb90a40 100644
--- a/skills/company-research/scripts/compile_report.mjs
+++ b/skills/company-research/scripts/compile_report.mjs
@@ -169,7 +169,9 @@ for (const file of files) {
   const fields = parseFrontmatter(content);
   if (!fields) continue;
   const body = parseBody(content);
-  const slug = file.replace('.md', '');
+  // Sanitize slug to prevent path traversal via crafted filenames
+  // (e.g. "../../etc/evil.md" → "evilevil" without "../" components)
+  const slug = file.replace('.md', '').replace(/\.\./g, '').replace(/[\\/]/g, '');
   companies.push({ ...fields, body, slug, file });
 }
 
@@ -351,6 +353,6 @@ console.log(join(dir, 'index.html'));
 
 // Open in browser if requested
 if (shouldOpen) {
-  const { execSync } = await import('child_process');
-  try { execSync(`open "${join(dir, 'index.html')}"`); } catch {}
+  const { execFileSync } = await import('child_process');
+  try { execFileSync('open', [join(dir, 'index.html')]); } catch {}
 }
diff --git a/skills/event-prospecting/scripts/compile_report.mjs b/skills/event-prospecting/scripts/compile_report.mjs
index e0f55c6..8106012 100644
--- a/skills/event-prospecting/scripts/compile_report.mjs
+++ b/skills/event-prospecting/scripts/compile_report.mjs
@@ -273,7 +273,8 @@ function readMdDir(p) {
     const fields = parseFrontmatter(content);
     if (!fields) return null;
     const body = parseBody(content);
-    const slug = f.replace('.md', '');
+    // Sanitize slug to prevent path traversal via crafted filenames
+    const slug = f.replace('.md', '').replace(/\.\./g, '').replace(/[\\/]/g, '');
     return { ...fields, body, slug, file: f };
   }).filter(Boolean);
 }
@@ -907,6 +908,6 @@ console.error(JSON.stringify({
 console.log(join(dir, 'index.html'));
 
 if (shouldOpen) {
-  const { execSync } = await import('child_process');
-  try { execSync(`open "${join(dir, 'index.html')}"`); } catch {}
+  const { execFileSync } = await import('child_process');
+  try { execFileSync('open', [join(dir, 'index.html')]); } catch {}
 }