diff --git a/test.py b/test.py
index 360ad4a..856a291 100644
--- a/test.py
+++ b/test.py
@@ -2,6 +2,7 @@
 
 import os
 from dotenv import load_dotenv
+import subprocess
 
 #to trigger secret scanning
 user = 'test'
@@ -10,7 +11,15 @@
 google_api_token = "AIzaSyAQfxPJiounkhOjODEO5ZieffeBv6yft2Q"
 gh_PAT = "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"
 
+
+def dangerous(user_input):
+    # BAD: user input is passed directly to shell=True, which is dangerous!
+    subprocess.call(f"echo {user_input}", shell=True)
+
 # main
 if __name__ == '__main__':
 
     print('hello Github world')
+
+    user_input = input("Enter something: ")
+    dangerous(user_input)