Any solution that uses eval and doesn't do sanity checking on the input is vulnerable.

For example, in the code snippet where you put q// around the keys, if I pass in the string "foo__/.`rm xxx`.q/" then the line that gets evalled is \$foo-> {q//.`rm xxx`.q//} If you do decide to go with eval, which personally I would not recommend, then you should turn on taint checking and make sure the input is safe before you eval it.