Why this matters
The bug. Any time eval meets a value that came from a request, an argument, or $_GET, treat it as remote code execution. Even without eval, /home/$USER_NAME unquoted is splittable on whitespace.
The fix. Drop the eval entirely (it adds nothing here) and quote the path. If you genuinely need dynamic command construction, use arrays: cmd=(tar czf - "/home/$USER_NAME"); "${cmd[@]}".
Bash hygiene. set -euo pipefail is good. shellcheck would have caught this in CI.
Review heuristic
If a string built from a request flows into a function whose name involves the words shell, system, exec, popen, or eval, treat it as actively dangerous until you can show that no part of the string is attacker-controlled.
External reference: CWE-78: OS Command Injection.
↳ CWE-78; common shell-script CVE pattern.