I agree that it's impossible for Nim to protect you if you're willing to compile other people's code.
However, it could be good if Nim provided a means for auditing calls to
staticRead. Or at least provided means for someone else to write an auditing library. I imagine something like the following could work and not be onerous either to the user or the compiler:
nim c --strictStatic myfile.nim
This would fail on all instances of
staticExec with a message like:
ERROR: Prevented execution of myfile.nim:staticExec("/bin/echo foo") Pass --allowStatic:'myfile.nim:staticExec("/bin/echo foo")' to allow it