Purely a security request, I think there's still a couple unsafe characters and COMBINATIONS of characters allowed to be passed to agents, or at least some that should be escaped.
Also I feel to be truly a safe parameter, the ONLY characters allowed to be passed should be: [a-zA-Z0-9]
I understand the need for . / etc.. But without filtering dangerous combinations, we open up security holes.
Some examples of these in the current allowed set would be:
*NOTE, confused why / is allowed, but \ is unsafe. Wouldn't this be Windows, Linux, or web check (curl, etc.), dependent.
Here's some example escaping code for Rexx / Perl: https://www.slac.stanford.edu/slac/www/resource/how-to-use/cgi-rexx/cgi-esc.html