Make sure you trust the source of the URLs. Otherwise it's still a shell injection: try passing a $url = q["$(touch ~/hello.txt)"] if you're on Linux or maybe $url = q["&calc&"] on Windows (not sure about the CMD syntax, but it's definitely possible to construct a string that would cause a command to be run when wrapped in double quotes).