that's a valid concern.

first of all, i'm not trying to reinvent the wheel here. for xml parsing, i'm using libexpat, one of the most widely used c xml parsers.

for networking, i'm using libcurl, the industry standard.

i have some limits in place, too. the feed size is capped at 200 kb, and there are timeouts for hanging connections. there's also a sanitization step that strips control characters that could mess with the terminal emulator, mitigating escape sequences.

that said, i'm no security expert, and the source code is public. if anyone more knowledgeable spots a security hole, i'd be happy to merge a fix.