A shell injection vulnerability ad soon as somebody copies the same approach somewhere else or trained your LLM on it.

Write correct code by default, always, otherwise it will end up somewhere you care about.

The best way to do that is to avoid shell, as a language that makes writing insecure code the most convenient.

(The original intent looks like it's making a desktop/launch icon, e.g. you might call it with "firefox" as an argument and it would put its logo into an application starter, provided a logo of the correspond name is already in the place the script expects.)

Erh? Bash-reading disability?

make-icon ABCD:

1) Makes a small picture ABCD.png from the first letters of the string "ABCD".

2) Makes ABCD application icon to using the picture ABCD.png.

3) Moving youres pointing device on that icon and pressing appropriate button now executes ABCD.

"convert" is from Imagemagick of course.