diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..2ab29b9
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-03-28 - Command Injection via Shell Wrappers in Swift
+**Vulnerability:** Shell wrappers (e.g., `/bin/bash -c`) used in conjunction with string interpolation for dynamic inputs (like `shell("/usr/bin/which \(tool)")`) created command injection vectors.
+**Learning:** In Swift, using `Process` with a bash wrapper inherently opens up injection risks if any part of the command string is user-controllable or dynamic, even indirectly.
+**Prevention:** Avoid shell wrappers entirely. Always invoke the target binary directly (e.g., `/usr/bin/env`, `/usr/bin/which`) and pass dynamic inputs strictly as elements in the `process.arguments` array. Replicate shell features like `2>&1` by mapping `process.standardError` and `process.standardOutput` to the same `Pipe()` instance.
diff --git a/Sources/Cacheout/Models/CacheCategory.swift b/Sources/Cacheout/Models/CacheCategory.swift
index 7b3d942..6fb1ddc 100644
--- a/Sources/Cacheout/Models/CacheCategory.swift
+++ b/Sources/Cacheout/Models/CacheCategory.swift
@@ -186,8 +186,22 @@ struct CacheCategory: Identifiable, Hashable {
     }
 
     private func toolExists(_ tool: String) -> Bool {
-        let result = shell("/usr/bin/which \(tool)")
-        return result != nil && !result!.isEmpty
+        let process = Process()
+        process.executableURL = URL(fileURLWithPath: "/usr/bin/which")
+        process.arguments = [tool]
+        process.standardOutput = FileHandle.nullDevice
+        process.standardError = FileHandle.nullDevice
+        process.environment = [
+            "PATH": "/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin"
+        ]
+
+        do {
+            try process.run()
+            process.waitUntilExit()
+            return process.terminationStatus == 0
+        } catch {
+            return false
+        }
     }
 
     private func runProbe(_ command: String) -> String? {
diff --git a/Sources/Cacheout/ViewModels/CacheoutViewModel.swift b/Sources/Cacheout/ViewModels/CacheoutViewModel.swift
index 13a9811..e50a217 100644
--- a/Sources/Cacheout/ViewModels/CacheoutViewModel.swift
+++ b/Sources/Cacheout/ViewModels/CacheoutViewModel.swift
@@ -231,8 +231,8 @@ class CacheoutViewModel: ObservableObject {
 
         let process = Process()
         let pipe = Pipe()
-        process.executableURL = URL(fileURLWithPath: "/bin/bash")
-        process.arguments = ["-c", "docker system prune -f 2>&1"]
+        process.executableURL = URL(fileURLWithPath: "/usr/bin/env")
+        process.arguments = ["docker", "system", "prune", "-f"]
         process.standardOutput = pipe
         process.standardError = pipe
         process.environment = [