Please, take a look at the post, it explains the problem and things it might cause https://www.reddit.com/r/kde/comments/fpqbi2/krunner_and_kickoff_security_concerns/ I would like to suggest Krunner to only execute files from the PATH, from the plugin "Command Line" and not files that were brought by other plugins like "Recent Documents"
Lets just have one report It's the same KRun(url) *** This bug has been marked as a duplicate of bug 419310 ***