You are probably aware already that you are onto something of a special thing with your Triggercmd agent, and as soon as you manage to deploy to android and iPhone I believe you are going to get allot of interest from investors because you would then have a foothold and ability across all major platforms.
Just by installing an accessible agent on a device wipes out the most robust form of security, which is inaccessibility. Then opening channels\triggers over the agent diminishes the security further.
I believe security needs to come at the point of accessing the exposed webhook\agent on the device and not in limiting the functionality. By allowing variables you are enhancing your potential market place to automation specialists. The ability to only initiate a static predefined trigger is very restrictive.
Your concern is warranted, as there is a posibility of a breach in security especially because a simple key does not offer much of a security blanket. Maybe offer a warning that if the end user "enables" variables on a trigger he is increasing his risk. Maybe upgrade accessibility security to certificates as used by virtual private networks. Maybe limit the originating request to zapier and other trusted services.
If you gave me the option in my use case I would enable variables.
Thanks for considering it.