diff --git a/README.md b/README.md
index e01d0fd6..e0c31252 100644
--- a/README.md
+++ b/README.md
@@ -340,6 +340,11 @@ Not seeing the behavior you want? `exec()` runs everything through `sh`
 by default (or `cmd.exe` on Windows), which differs from `bash`. If you
 need bash-specific behavior, try out the `{shell: 'path/to/bash'}` option.
 
+**Note:** as `shell.exec()` executes an arbitrary string in the system
+shell, it is **critical** to properly sanitize user input to avoid command
+execution. For more context, consult the [Security
+guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
+
 
 ### find(path [, path ...])
 ### find(path_array)
diff --git a/src/exec.js b/src/exec.js
index f63fd5bb..e6077a33 100644
--- a/src/exec.js
+++ b/src/exec.js
@@ -177,6 +177,11 @@ function execAsync(cmd, opts, pipe, callback) {
 //@ Not seeing the behavior you want? `exec()` runs everything through `sh`
 //@ by default (or `cmd.exe` on Windows), which differs from `bash`. If you
 //@ need bash-specific behavior, try out the `{shell: 'path/to/bash'}` option.
+//@
+//@ **Note:** as `shell.exec()` executes an arbitrary string in the system
+//@ shell, it is **critical** to properly sanitize user input to avoid command
+//@ execution. For more context, consult the [Security
+//@ guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
 function _exec(command, options, callback) {
   options = options || {};
   if (!command) common.error('must specify command');