Well, it's insecure in the sense that I'm just echoing data into a command and executing. Considering the messages are logs from a web server, a lot of the data I'm pumping in is user generated.
I was hoping there was a way to execute a command and have logstash pass the data via STDIN without having to pipe it in a command (as shown above), at least not without first escaping the content of the message to make sure it doesn't have unescaped quotes in it, as that would break this:
echo "%{message}" | php /bin/scripts/process.php