diff --git a/lib/common-functions.sh b/lib/common-functions.sh
index c8b9fb4..7bdd02d 100755
--- a/lib/common-functions.sh
+++ b/lib/common-functions.sh
@@ -173,7 +173,7 @@ create_temp_session() {
     mkdir -p "$TEMP_SESSION_DIR"
 
     # Cleanup on exit
-    trap "rm -rf $TEMP_SESSION_DIR 2>/dev/null" EXIT INT TERM
+    trap '[ -n "$TEMP_SESSION_DIR" ] && rm -rf "$TEMP_SESSION_DIR" 2>/dev/null' EXIT INT TERM
 }
 
 # Ask user for confirmation
diff --git a/lib/ip-reputation.sh b/lib/ip-reputation.sh
index 236800d..bfa2ade 100644
--- a/lib/ip-reputation.sh
+++ b/lib/ip-reputation.sh
@@ -65,12 +65,12 @@ acquire_lock() {
     local timeout=10
     local elapsed=0
 
-    while [ -f "$IP_REP_LOCK" ] && [ $elapsed -lt $timeout ]; do
+    while [ -f "$IP_REP_LOCK" ] && [ ${elapsed:-0} -lt $timeout ]; do
         sleep 0.1
         elapsed=$((elapsed + 1))
     done
 
-    if [ $elapsed -ge $timeout ]; then
+    if [ ${elapsed:-0} -ge $timeout ]; then
         # Stale lock, remove it
         rm -f "$IP_REP_LOCK" 2>/dev/null
     fi
@@ -277,13 +277,13 @@ mark_ip_legitimate() {
 get_ip_reputation_category() {
     local score="$1"
 
-    if [ $score -ge $REP_SCORE_CRITICAL ]; then
+    if [ ${score:-0} -ge $REP_SCORE_CRITICAL ]; then
         echo "CRITICAL"
-    elif [ $score -ge $REP_SCORE_HIGH ]; then
+    elif [ ${score:-0} -ge $REP_SCORE_HIGH ]; then
         echo "HIGH"
-    elif [ $score -ge $REP_SCORE_MEDIUM ]; then
+    elif [ ${score:-0} -ge $REP_SCORE_MEDIUM ]; then
         echo "MEDIUM"
-    elif [ $score -ge $REP_SCORE_LOW ]; then
+    elif [ ${score:-0} -ge $REP_SCORE_LOW ]; then
         echo "LOW"
     else
         echo "SAFE"
@@ -525,7 +525,7 @@ should_block_ip() {
 
     IFS='|' read -r _ _ rep_score _ _ _ _ _ _ <<< "$data"
 
-    [ $rep_score -ge $threshold ] && return 0  # Should block
+    [ ${rep_score:-0} -ge $threshold ] && return 0  # Should block
     return 1  # Should not block
 }
 
diff --git a/lib/mysql-analyzer.sh b/lib/mysql-analyzer.sh
index c15caab..e3c1cb6 100755
--- a/lib/mysql-analyzer.sh
+++ b/lib/mysql-analyzer.sh
@@ -121,6 +121,7 @@ declare -gA PROBLEM_PATTERNS=(
 # Map database to user and domain
 map_database_to_user_domain() {
     local db_name="$1"
+    [ -z "$db_name" ] && return 1
     local map_file="${TEMP_SESSION_DIR}/db_user_domain_map.tmp"
 
     # Return cached if exists
@@ -155,12 +156,14 @@ map_database_to_user_domain() {
 # Get database owner
 get_database_owner() {
     local db_name="$1"
+    [ -z "$db_name" ] && return 1
     map_database_to_user_domain "$db_name" | cut -d'|' -f2
 }
 
 # Get database domain
 get_database_domain() {
     local db_name="$1"
+    [ -z "$db_name" ] && return 1
     map_database_to_user_domain "$db_name" | cut -d'|' -f3
 }
 
@@ -217,6 +220,7 @@ parse_slow_query_log() {
 # Identify plugin from table name
 identify_plugin_from_table() {
     local table_name="$1"
+    [ -z "$table_name" ] && return 1
 
     # Remove prefix to get base table name
     local base_table=$(echo "$table_name" | sed 's/^[a-z0-9]*_wp_//; s/^wp_//')
@@ -242,6 +246,7 @@ identify_plugin_from_table() {
 get_table_size() {
     local db_name="$1"
     local table_name="$2"
+    [ -z "$db_name" ] || [ -z "$table_name" ] && return 1
 
     mysql -Ns -e "SELECT ROUND(((data_length + index_length) / 1024 / 1024), 2)
                   FROM information_schema.TABLES
@@ -251,6 +256,7 @@ get_table_size() {
 # Get all tables for database
 get_database_tables() {
     local db_name="$1"
+    [ -z "$db_name" ] && return 1
 
     mysql -Ns "$db_name" -e "SHOW TABLES" 2>/dev/null
 }
@@ -259,6 +265,7 @@ get_database_tables() {
 analyze_table_structure() {
     local db_name="$1"
     local table_name="$2"
+    [ -z "$db_name" ] || [ -z "$table_name" ] && return 1
 
     # Get table status
     mysql -Ns -e "SHOW TABLE STATUS FROM \`$db_name\` LIKE '$table_name'" 2>/dev/null
@@ -271,6 +278,7 @@ analyze_table_structure() {
 # Extract database from query
 extract_database_from_query() {
     local query="$1"
+    [ -z "$query" ] && return 1
 
     # Try to extract from USE statement
     if echo "$query" | grep -qiE "^USE "; then
diff --git a/modules/security/bot-analyzer.sh b/modules/security/bot-analyzer.sh
index f86c9ac..298a17f 100755
--- a/modules/security/bot-analyzer.sh
+++ b/modules/security/bot-analyzer.sh
@@ -1263,7 +1263,7 @@ generate_report() {
             # Detect spikes (>2x average)
             avg_traffic=$((total_requests / 24))
             spike=""
-            [ $count -gt $((avg_traffic * 2)) ] && spike=" SPIKE"
+            [ ${count:-0} -gt $((avg_traffic * 2)) ] && spike=" SPIKE"
 
             # Strip leading zeros to avoid octal interpretation
             hour_num=$((10#$hour))
diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 9c8a3ee..2f4e7b3 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -838,7 +838,7 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
     ((SCANNERS_COMPLETED++))
 
     # Wait between scanners
-    if [ $SCANNERS_COMPLETED -lt $TOTAL_SCANNERS ]; then
+    if [ ${SCANNERS_COMPLETED:-0} -lt $TOTAL_SCANNERS ]; then
         echo "Waiting 3 seconds before next scanner..."
         sleep 3
     fi
@@ -906,18 +906,28 @@ done
             # Look for POST requests to the directory containing the infected file
 
             # Use system-detected log directory with control panel-specific search
-            local log_search_cmd
             if [ "$CONTROL_PANEL" = "interworx" ]; then
                 # InterWorx: Search /home/*/var/*/logs/transfer.log (VERIFIED: uses 'transfer.log')
-                log_search_cmd="find /home/*/var/*/logs -type f -name 'transfer.log' 2>/dev/null"
+                # Search last 7 days of logs for POST requests to this path
+                find /home/*/var/*/logs -type f -name 'transfer.log' 2>/dev/null | while read -r logfile; do
+                    # Check if this log corresponds to the domain/user
+                    grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
+                        # Extract IP from Apache log line
+                        local ip=$(echo "$logline" | awk '{print $1}')
+                        if [ -n "$ip" ] && [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+                            # Flag this IP in reputation database
+                            if type flag_ip_attack &>/dev/null; then
+                                flag_ip_attack "$ip" "RCE" 25 "Malware scanner: Uploaded $filename" >/dev/null 2>&1
+                                echo "  → Flagged IP: $ip (uploaded to $filepath)" >> "$LOG_DIR/flagged_ips.log"
+                                ((flagged_ips++))
+                            fi
+                        fi
+                    done
+                done
             elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
                 # cPanel/Plesk: Use detected log directory
-                log_search_cmd="find $SYS_LOG_DIR -type f -name '*.com' -o -name '*.net' -o -name '*.org' 2>/dev/null"
-            fi
-
-            if [ -n "$log_search_cmd" ]; then
                 # Search last 7 days of logs for POST requests to this path
-                eval "$log_search_cmd" | while read -r logfile; do
+                find "$SYS_LOG_DIR" -type f \( -name '*.com' -o -name '*.net' -o -name '*.org' \) 2>/dev/null | while read -r logfile; do
                     # Check if this log corresponds to the domain/user
                     grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
                         # Extract IP from Apache log line
diff --git a/modules/website/500-error-tracker.sh b/modules/website/500-error-tracker.sh
index 704aa4f..d15eded 100755
--- a/modules/website/500-error-tracker.sh
+++ b/modules/website/500-error-tracker.sh
@@ -53,7 +53,7 @@ echo ""
 # Temporary files
 TEMP_DIR="/tmp/500-tracker-$$"
 mkdir -p "$TEMP_DIR"
-trap "rm -rf $TEMP_DIR" EXIT
+trap '[ -n "$TEMP_DIR" ] && rm -rf "$TEMP_DIR"' EXIT
 
 ERRORS_500="$TEMP_DIR/errors_500.txt"
 ERROR_DETAILS="$TEMP_DIR/error_details.txt"
diff --git a/modules/website/website-error-analyzer.sh b/modules/website/website-error-analyzer.sh
index 881b803..6309877 100755
--- a/modules/website/website-error-analyzer.sh
+++ b/modules/website/website-error-analyzer.sh
@@ -128,7 +128,7 @@ echo ""
 # Temporary files
 TEMP_DIR="/tmp/website-error-analysis-$$"
 mkdir -p "$TEMP_DIR"
-trap "rm -rf $TEMP_DIR" EXIT
+trap '[ -n "$TEMP_DIR" ] && rm -rf "$TEMP_DIR"' EXIT
 
 CRITICAL_ERRORS="$TEMP_DIR/critical.txt"
 USER_IMPACT_ERRORS="$TEMP_DIR/user_impact.txt"
diff --git a/tools/erase-toolkit-traces.sh b/tools/erase-toolkit-traces.sh
index 63f8283..6fffb64 100755
--- a/tools/erase-toolkit-traces.sh
+++ b/tools/erase-toolkit-traces.sh
@@ -164,7 +164,7 @@ fi
 if [ "$TRACE_ERASER_AUTO" = "yes" ]; then
     # Auto mode: quick cleanup, minimal output
     cd /root 2>/dev/null
-    rm -rf "$SCRIPT_DIR" 2>/dev/null
+    [ -n "$SCRIPT_DIR" ] && rm -rf "$SCRIPT_DIR" 2>/dev/null
     clear
     echo ""
     echo -e "${GREEN}✓ All traces removed${NC}"
@@ -181,7 +181,7 @@ else
         echo ""
         echo "Removing toolkit directory..."
         cd /root
-        rm -rf "$SCRIPT_DIR"
+        [ -n "$SCRIPT_DIR" ] && rm -rf "$SCRIPT_DIR"
         echo ""
         echo -e "${GREEN}✓ Toolkit completely removed${NC}"
         echo ""
@@ -191,7 +191,7 @@ else
         echo -e "${GREEN}✓ History and logs cleaned${NC}"
         echo ""
         echo "Toolkit directory remains at: $SCRIPT_DIR"
-        echo "You can manually remove it later with: rm -rf $SCRIPT_DIR"
+        echo "You can manually remove it later with: [ -n \"\$SCRIPT_DIR\" ] && rm -rf \"\$SCRIPT_DIR\""
     fi
 
     echo ""