The construct-gallery module is considered an engineering tool for developers and testers.

The pyshell_plugin.py uses eval() on untrusted strings and this can be a potential security issue, anyway useful for engineering observations. The feature can be disabled.

Also, the module use the pickle module to save and load samples, which is not secure. It is possible to construct malicious pickle data which will corrupt the behaviour of the component. Never load pickled data ("Load from file") that are not directly generated by the "Save to file" function of this component. This feature can be disabled.

For the "Reload construct module" feature, it is exected that the dynamically loaded components do not include security concerns. This feature can be disabled.

The way to report a security bug is to open an issue including related information (e.g., reproduction steps, version).