#374 HIGH: Shell command injection via unescaped variables

shell_command.py:278-281 resolves variables and passes directly to shell=True subprocess. If {{user_input}} contains '; rm -rf /', it executes. Fix: Use shlex.quote() when interpolating variables into shell commands.