Assuming input is from a benign source is literally the cause every single security issue ever. It's bizarre that I've been downvoted for this. And you're commenting about how I'm wrong without even reading the code. I seriously don't understand this site.
The same user who feeds in the values for 'system' is also trusting the program with their bitcoins! This is (in my opinion) like saying "bash" is a security issue because you can give it bash scripts.
... but it ain't your financial system. Unless I've seriously misunderstood the README.
I put my cups in the dishwasher, not the autoclave. I use 2fa for my financial accounts, but not for my frisbee league. Security is about appropriate paranoia.
In no scenario is it better to allow arbitrary hidden process creation than to spend 10 minutes writing a function that validates parameters provided to launch a process.
