>which creates a new REPL with some very important changes<p>I don't like shrug! I don't want any shrug!<p>... Of course, if you can arrange for the target system to decode and execute the embedded code, it's already compromised...<p>>eval doesn't like statements and everyone already knows to suspect exec code.<p>If people don't equally well suspect `eval` then education attempts have seriously failed.<p>Incidentally: one way every Pythonista can help improve OSS is to search on GitHub for insecure-but-intentional - as well as inappropriate-but-legitimate -uses of `eval` to submit PRs. For example, it often gets used to convert hex digits to raw byte values (<a href="https://github.com/search?q=%22eval%28%5C%220x%22+lang%3APython+&type=code" rel="nofollow">https://github.com/search?q=%22eval%28%5C%220x%22+lang%3APyt...</a>), rather than simply passing a `base` argument to `int`.