This is flagged as a security risk but code analysis tools such as DeepSource.io:
Using shell=True can expose you to security risks if someone
crafts input to issue different commands than the ones you intended.
[...]
It is recommended to use functions that don't spawn a shell.
If you must use them, use shlex.quote to sanitize the input.
This is flagged as a security risk but code analysis tools such as DeepSource.io:
See also: https://docs.python.org/3/library/subprocess.html#security-considerations