There is the top-level method `() which captures the output of a string command executed in a subshell. The string literal fully supports interpolation, thus it could easily lead to command injection when interpolating user input.

I've just written a docs chapter about this (crystal-lang/crystal-book#304).

In order to avoid command injection, arguments need to be properly escaped. Process.new and Process.run allow this, but require a few lines of code in order to implement a save equivalent to a simple backticks command.

There is also the top-level method system which offers safe arguments, but doesn't capture the output. Instead, it is forwarded to STDOUT directly.

There should be method to provide a safe & easy to use alternative for capturing subshell output with the same arguments as system() (plus maybe an additional a shell argument) but the behaviour and return type of `().

This could be implemented by adding an optional args argument to `(), but I don't think that's a good idea because it makes it hard to distinguish the safe operation of this method.