dot and slash
[ disclaimer: I'm not gonna try this on the production system in front of me ]
ISTM this is merely sloppy use of wildcard expansion. I have always assumed that these are easily prevented by changing the "*" argument (and root users who put that in scripts should be shot - slowly) to "./*" or $EXPLICIT_PATH/ ... which changes what is expanded by the shell from being arguments starting with a dash, into pathnames, all starting with ./<something>
P.S. If you really *were* trying to write a trapdoor into a system, surely you'd use "invisible" files with names containing backspaces or octal \000 characters?