+## Passing filenames or other positional arguments to commands
+
+If you get filenames from the user or from shell globbing, or any other kind of positional arguments, you should be aware that those could start with a "-". Even if you quote correctly, this may still act differently from what you intended. For example, consider a script that allows somebody to run commands as `nobody` (exposed over `remctl`, perhaps), consisting of just `sudo -u nobody "$@"`. The quoting is fine, but if a user passes `-u root reboot`, `sudo` will catch the second `-u` and run it as `root`.
+
+Fixing this depends on what command you're running.
+
+For many commands, however, `--` is accepted to indicate that any options are done, and future arguments should be parsed as positional parameters — even if they look like options. In the `sudo` example above, `sudo -u nobody -- "$@"` would avoid this attack (though obviously specifying in the `sudo` configuration that commands can only be run as `nobody` is also a good idea).
+
+Another approach is to prefix each filename with `./`, if the filenames are expected to be in the current directory.
+
+## Temporary files
+
+TODO: mumble `mktemp`?
+
+## Use [ShellCheck](https://www.shellcheck.net/) to check for bugs
+
+The [ShellCheck](https://www.shellcheck.net/) linter automatically catches a number of the above mistakes and more. Run it regularly, ideally with integration into your editor and your test suite, and address all of its diagnostics. Even warnings that might sound unimportant could be obscuring important bugs.
+
+## Other resources
+
+Google has a [Shell Style Guide](https://google.github.io/styleguide/shell.xml). As the name suggests, it primarily focuses on good style, but some items are safety/security-relevant.
+