Looks like 842916d accidentally introduced a path traversal vuln as os.path.pathsep (":") != os.path.sep ("/").

In det.py:

        filename = "%s.%s" % (fname.replace(
            os.path.pathsep, ''), time.strftime("%Y-%m-%d.%H:%M:%S", time.gmtime()))

Also, since you can inject filenames with arbitrary contents, it'd be a good idea to filter the filename to disallow non-ASCII printable characters. Combined with the path traversal, it might be possible to plant a file somewhere that'd abuse globbing ("foo *") in a script somewhere and get RCE out of it. (The tar example here probably wouldn't work, but maybe one could be found.)