Shellcheck won't catch the missing dashes ('--') at the end of command options, so you could be in trouble if a variable starts with a dash and the command interprets it as an option rather than the filename. It's not particularly obvious, but if people can upload a file and specify its name, then they could compromise a script by choosing a suitably evil name. If you get into a habit of putting '--' at the end of the options and before the filename variable, then you protect against that.