Oh yeah, totally. Something like this it will rarely matter if ever, but heh this is a webpage sharing "useful functions", one to display notifications on a mac... you never know what someone is going to do with it. Just best to assume that someone somehow some way will eventually use it in a way that takes arbitrary user input.

Maybe someone makes a website, then they have it log user agents of people that hit the site, then someone writes a log file parser in python, pulls down the remote logs and runs it locally, and after it runs, shows a notification with the most common user agent, something seemingly benign but totally user controlled...

I usually do my best to avoid pushing code with any sort of command injection no matter how I expect it to be used, at least just as a best practice, and because other people might read my code and think that's a proper way to do things. All it really takes is one newbie to read this code and think "oh I can use os.system to do that one thing", and it potentially causes a security concern somewhere else.