diff --git a/bench_security b/bench_security
new file mode 100755
index 00000000..878c64c8
Binary files /dev/null and b/bench_security differ
diff --git a/src/modules/mod.rs b/src/modules/mod.rs
index b73cf0bd..f05de83a 100644
--- a/src/modules/mod.rs
+++ b/src/modules/mod.rs
@@ -176,11 +176,14 @@ pub fn validate_shell_safe_string(value: &str, param_name: &str) -> ModuleResult
     }
 
     // Reject shell metacharacters that enable command injection
-    const SHELL_METACHARACTERS: &[char] = &[
-        '$', '`', '|', '&', ';', '<', '>', '(', ')', '\n', '\r', '\t', '\\', '!',
-    ];
-
-    if value.chars().any(|c| SHELL_METACHARACTERS.contains(&c)) {
+    // Optimization: Check bytes directly to avoid UTF-8 decoding and linear slice scan.
+    // All these metacharacters are ASCII (single byte), so this is safe and correct even for UTF-8 strings.
+    if value.bytes().any(|b| matches!(b,
+        b'$' | b'`' | b'|' | b'&' | b';' | b'<' | b'>' | b'(' | b')' | b'\n' | b'\r' | b'\t' | b'\\' | b'!'
+    )) {
+        const SHELL_METACHARACTERS: &[char] = &[
+            '$', '`', '|', '&', ';', '<', '>', '(', ')', '\n', '\r', '\t', '\\', '!',
+        ];
         let found_chars: Vec<String> = value
             .chars()
             .filter(|c| SHELL_METACHARACTERS.contains(c))