libvcs is a vcs abstraction layer. libvcs is vulnerable to command injection, which stems from the fact that when the update_repo function is called, the url argument is passed to the hg clone command, and an attacker can exploit this vulnerability to execute commands by injecting some hg options.