The subprocess module has built-in protection against command execution:

from subprocess import call

# An invocation of the call(...) function will ensure only a single
# command is run.
call(["ls", "-l"])

This protection can be disabled – be on the lookout for anything that opens a process in the following manner:

from subprocess import call

# shell=True disables command injection checking.
call("cat " + filename, shell=True)