The current EXECUTE command causes the command system to loan SIK & SOK keys to a program that may not warrant trust by the user. The program may then control the command system.
A similar hazard with recent notoriety is where a bad program sends magic characters to the terminal so as to capture the loyalty of the terminal. When the user returns to the command system, the terminal issues commands not intended by the user.
The CCK-SIK-SOK set need to be weakened so as to prevent: unprintable characters going to the terminal, and no bypassing of the prevention.
Another problem is to get back into communication with the command system when the suspect program fails to return to the command system.
I claim that these several functions should not be put into separate modules because a program that is not trusted to return your keys should not be trusted not to misuse them and vice-versa.
Some assertion such as the following may be true of almost all terminals and may be sufficient to avoid the "duped terminal" attack.
If a terminal is "reset" at the beginning of a session and receives only "standard characters" from the computer, then the terminal will send only those characters directly resulting from and corresponding to keyboard keystrokes. By "standard characters" we mean space, CR, LF, and the 94 printable ascii characters.
If SOK4 were to refuse to send other than a specifically enabled set the problem would be solved. The CCK4 key must be relativized to the branch somehow also.