TextCarver has one minor security vulnerability: it uses CommonMark, which has some known security issues. So you should understand those (and HTML sanitization more generally) before running untrusted source code through it.

Oh, actually it has another giant, gaping security vulnerability: TextCarver is by design a robust programming language. So running untrusted code through it creates a vast number of security vulnerabilities. And if that wasn’t bad enough, it allows execution of arbitrary JavaScript.

So I probably wouldn’t even consider running untrusted code through it, if I were you.

Next: What’s Missing?