Shell injection via LLM-controlled commands in subprocess with shell=True

Found via code audit. loop/engine.py:104-107,246-249. _run_user_command() passes LLM output directly to subprocess.run(shell=True). No sanitization or sandboxing.