Yeah the ability to disable the insecure commands is crucial. That should be the first thing they should do.

Probably a lot of people aren’t even using this functionality in their workflows anyway.

I think the only one of these commands that I actually use is setting outputs, and I don’t even use that very often.

There should also be a way to see which commands have been triggered via stdout, so you can at least see what happened if something malicious happens.