Currently, ummon server allows running arbitrary commands via the API/the CLI app's ummon run command. This isn't necessarily a security hole, as any user who can ummon run a command could just as easily ummon task create the command and then run it. However, that provides one step less auditability and security. It would be better if there were a flag in config.json to require that you can only run a predefined task rather than an arbitrary command.