A shell injection vulnerability ad soon as somebody copies the same approach somewhere else or trained your LLM on it.

Write correct code by default, always, otherwise it will end up somewhere you care about.

The best way to do that is to avoid shell, as a language that makes writing insecure code the most convenient.

(The original intent looks like it's making a desktop/launch icon, e.g. you might call it with "firefox" as an argument and it would put its logo into an application starter, provided a logo of the correspond name is already in the place the script expects.)