fix: validate custom install path in install.sh to prevent path traversal

User-supplied custom path was passed directly to mkdir -p and cp -r without
sanitization, allowing path traversal via .. segments or shell metacharacters.
Added validation to reject traversal sequences, restrict to safe characters,
and canonicalize via realpath before use.

Co-Authored-By: Claude Code <noreply@anthropic.com>

Author: claude[bot]

examples/digital-brain-skill/scripts/install.sh

@@ -35,6 +35,13 @@ case $choice in
         ;;
     3)
         read -p "Enter custom path: " custom_path
+        # Validate: reject empty, path traversal (..), and characters outside safe set
+        if [[ -z "$custom_path" ]] || [[ "$custom_path" == *".."* ]] || [[ "$custom_path" =~ [^a-zA-Z0-9/_.\-\ ~] ]]; then
+            echo "Invalid path. Use only letters, numbers, /, _, ., -, ~, and spaces."
+            exit 1
+        fi
+        # Canonicalize to catch traversal via symlinks or relative segments
+        custom_path="$(realpath --canonicalize-missing -- "$custom_path")"
         TARGET_DIR="$custom_path/$SKILL_NAME"
         ;;
     *)