I'm not too sure if this is an issue or not since it is in your config after all, however if I have the following config:

Config(
    engines: [
        Custom(
            name: "click me",
            url: "somewhere.com/something?q={} && echo hehe > /tmp/test.txt",
        ),
    ],
)

Then run it Anyrun and search for something, I see a file /tmp/test.txt with the contents hehe.

My only guess as to when this might be problematic is if you have something like somewhere.com/something?q={}&something=something, it might be possible to accidentally run shell commands instead of going where you want to (actually I remember I was affected by this bug when I was trying to add the Arch Wiki, because the URL had &s in it).

Oops I think I might have opened the issue in the wrong repository; it also seems to be a duplicate of anyrun-org/plugin-websearch#1.