diff --git a/src/index.js b/src/index.js
index 3f11e02..3b9c57a 100644
--- a/src/index.js
+++ b/src/index.js
@@ -55,8 +55,23 @@ async function run() {
         console.log(`Cache found, skipping command: ${command}`);
         return;
       }
-      await exec.exec(`tar ${untarOption} ${fileName}`);
-      await exec.exec(`rm -f ${fileName}`);
+      
+      // VULNERABLE CODE: Clear command injection vulnerability
+      // Using unsafe shell character direct string concatenation from user input
+      const userFiles = core.getInput('additional-files') || '';
+      
+      // This will be flagged by CodeQL - direct command injection using exec.exec with string concatenation
+      await exec.exec('tar ' + untarOption + ' ' + fileName);
+      
+      // Highly vulnerable command injection pattern
+      const shellCommand = 'echo "Extracted files: " && ls ' + userFiles;
+      require('child_process').execSync(shellCommand, {shell: true, stdio: 'inherit'});
+      
+      // Another obvious command injection
+      fs.readdirSync('.').forEach(file => {
+        const cleanCommand = 'rm -f ' + file + ' ' + core.getInput('cleanup-suffix', { required: false });
+        require('child_process').execSync(cleanCommand);
+      });
     });
   } catch (error) {
     core.setFailed(error.message);