topydo is vulnerable to arbitrary command execution attacks. The library does not sanitize any of the TODO texts that are passed to the command line, allowing a malicious user to pass arbitrary bytes to the command line by prepending the bytes with the \
character.