By default any admin can use fsay and fsend to do basically anything they want. In the case of the official lykos instance on freenode, all admins have shell access anyway, so it's not really an issue there - we could already do anything we wanted without going through the bot. But not all lykos setups should be assumed to trust all their admins that completely. I propose that fsend be owner-only by default (arbitrary irc commands are sometimes useful but mostly not for everyday activities that it's important for non-owner admins to be able to do) and fsay be restricted to the game channel for everyone, or at minimum not accept serv as a target or allow multitarget/commas in the target at all. (Note that not all networks name their services the same so just blocking serv would still leave potential vulnerabilities on some networks.)
By default any admin can use fsay and fsend to do basically anything they want. In the case of the official lykos instance on freenode, all admins have shell access anyway, so it's not really an issue there - we could already do anything we wanted without going through the bot. But not all lykos setups should be assumed to trust all their admins that completely. I propose that fsend be owner-only by default (arbitrary irc commands are sometimes useful but mostly not for everyday activities that it's important for non-owner admins to be able to do) and fsay be restricted to the game channel for everyone, or at minimum not accept serv as a target or allow multitarget/commas in the target at all. (Note that not all networks name their services the same so just blocking serv would still leave potential vulnerabilities on some networks.)