Passing unsanitized external input directly to functions executing system commands like exec.Command or syscall.Exec enables arbitrary code execution through injection attacks. Malicious input can inject code to execute unintended system commands. Input passed to command execution requires strict validation and sanitization to prevent code injection. Whitelists, escaping, or higher level libraries that sanitize inputs should be used. Adding input validation helps prevent malicious code execution.