Unfortunately this is related to acme.sh, a shell script tool to request new and replace free certificates. So far, this GitHub issue is quite disturbing.
IMO it’s just a demonstration why you don’t write complicated or security sensitive code in shell script: it’s basically impossible to get right, there’s pitfalls around every corner and it’s extremely difficult to check for mistakes.
I wouldn't say there are too many pitfalls. Quote all variables (acme.sh seem to do well on that part) and don't use eval (probably the reason for this problem).