Answer from the git-security mailing list:
> So in short: I think all of this is known (and public). Patches on the public development list to help improve the situation are welcome. :) [...] Yes, this part is expected.

So: Be careful with your git integrations in your shell/editor/... - A simple `git status` in an untrusted repo is enough to have code execution!