Any script that doesn't untaint ARGV is vulnerable.

Which is this thread's lesson :)

But I still think magic ARGV should not use two-arg open.

Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }