The function LocalStub.createAgency creates an agency, using go's exec package. In building the command for starting the agency's container, the name of a configured image is used without being checked first. This could make code injection possible if an image name is chosen containing ;, followed by any command. This command will be executed on the kubestub container.
Depending on how it is set, the same problem may be caused by the log level setting

Fixed with PR #13