Hello, I'm the maintainer of pidgin-knotify( https://aur.archlinux.org/packages.php?ID=32919 ) in the AUR and i think the package should be removed as soon as possible. Today a user notified me about an unfixed bug, which allows remote command injection. It does not seem like this will be fixed in the foreseeable future.
IMHO it would be best to remove the package. Thanks
