The validator only ever checks the first child of a command node, and only if it is a word node; however, an environment variable assignment isn't a word node, so the check gets entirely ignored.

Spawn an unrestricted shell by running X=1 sh -i and cat the flag.