Browsing through the repo, I noticed this, and wondered if that isn't a recipe for disaster (code is condensed to showcase my concern)?

  app.get('/api/auth/callback', async (request: any, reply: any) => {
    const params: any = request.query || {};
    const code = params.code || '';
    const state = params.state || '';
    // Exchange code for token via curl
    const tokenResult = curlExec(
      'curl -s -X POST "https://github.com/login/oauth/access_token" -H "Accept: application/json" -d "client_id=' + GITHUB_CLIENT_ID + '&client_secret=' + GITHUB_CLIENT_SECRET + '&code=' + code + '"'
    );

Shell injection?