The command and make build backends could potentially be a security concern, as they allow executing arbitrary commands.
Something like extrasafe could be used to isolate the processes, so that they can only read from/write to the build directory.
Caveat: extrasafe only works on x86_64-linux.
