Your script is a security boundary

Never eval user input. Never build commands with unquoted variables. Use "$@" when calling other programs.

Rule: Data is data, code is code — keep them separate even when tired at 2am.