Good catch, thanks for bringing these up.

Fee subtraction logic: You're right; the current implementation overly simplifies and defaults to the first recipient. We're tracking this and are actively working on a patch to correctly respect the subtract_from parameter across multiple recipients.

subprocess.Popen with shell=True: We're aware of this. Although our current usage sanitizes inputs thoroughly, using shell=True isn't ideal from a security perspective.

Really appreciate the scrutiny. If you're open to it, we'd welcome a PR or a deeper security review from your side - happy to discuss a bounty for quality fixes too!