[The action] was set up in a way where text from a PR comment could be passed directly into a shell command, so whatever the comment said, the runner would execute it.

Oh, lol

I think we should just all stop using anything that uses SlopHub for its primary workflow.