This is how security holes get born... maybe someday you'll open the script up for others to use, or you'll be working on something for a client and remember that time you wrote this script, and just copy it over since that's the easiest solution, or ...
Better to protect it from the start. And it's not hard to do, at least throwing this in as the first line of the foreach already helps against some of the bad stuff: tr{a-zA-Z0-9_/-}{}cd (still doesn't protect against symlinks into other directories, and if you add the dot to that list, it won't protect against "..", etc.)