Not so paranoid about security, but for what it is worth here is a vote against enabling --shell escape by default.
The TeX directive is a good idea I think, but there is a potential wrinkle. XeTeX doesn't take --shell-escape but -shell-escape, that is, one dash preceding, not two. So running XeTeX with a document with the proposed TeX directive is going to throw up errors...
On 9/2/2008, "Brad Miller" millbr02@luther.edu wrote:
I don't know how people feel about the security issue, but the online docs I've found are pretty clear about not enabling --shell-escape for documents you haven't written yourself. I rarely download tex source and typeset it so this is not a big deal for me. Although texMate could auto-enable the shell-escape option by detecting certain packages it would have no way of knowing whether the user had written the document or not. Perhaps a middle ground would be to put up a warning if one of the packages is included and the user has not enabled shell-escape.
Rather than setting the global option to enable shell-escape users can also insert the following line at the top of their document: %!TEX TS-options = --shell-escape
This can be done manually or by using the File Preferences menu in the latex bundle.