A friend shared another potential Godot Crime:

Quote

resources can contain code and loading them will execute that code

Related: https://github.com/godotengine/godot-proposals/issues/4925

Notably, since Ultraprocessor Ribbon uses the ConfigFile API, the config file for the game can be used as a code injection vector by adding this to the end of the file:

[Foobar] foobar=Object(Resource,"script":Object(GDScript,"resource_local_to_scene":false,"resource_name":"","script/source":"extends Resource func _init(): print(\"Hello, world!\")"))

Even though the config code in Ultraprocessor Ribbon doesn’t try to read the foobar value, Hello, world! is printed to the console.