Any attempt to analyze a string that will be executed as a command is a fundamentally unsafe approach, presumably I can make an .sh file and run that and circumvent the mechanism? Off the top of my head. You could say that your analysis will be so deep that it can check the file scripts, it' can do so recursively through bash file chain s of any size, it's so smart in fact it can undecode base64 contents, and even if...

No, stop, if you do that, you have entered a rabbit hole, ignore the command, assume it can be malicious. Path constraints are already fundamentally solved with tech as old as UNIX users, you are 50 years behind in terms of security and should not be concerning yourself with cutting edge issues for that reason.