When alerter call external script, it can pass some information including last item value as commandline arguments.
Item value can contain some information out of zabbix administrator countrol such as web page content.
And when this information pass to commandline, shell meta-characters such as '$', '~', '@' and even '`' not escaped.
Due to this, hacker can execute arbitrary code on zabbix server if he has access to monitored web-page, alert action configured as external script, last value included in the message body and item value is web page content.

Solution I propose is to call external scripts by exec() function and not via "/bin/sh -c".
Another solution - pass message body to external script via stdin - is not solve the same (hypothetic) problem with subject.
Escape all shell meta-characters before call script seems ugly for me.