Note that the whole shelling out security issues only arise if one actually calls the shell. There are plenty of ways to avoid that, especially on *NIX - I wrote a longer node about exactly that topic (with example code) here.

And yes, I agree that you should definitely sandbox any code you run. I know this is possible in Lua, and it should apply to JavaScript as well, although I haven't looked at JE closely enough yet to say if that's the default behavior. OTOH sandboxing Perl is quite difficult.