SSI directives are as secure as you are. Don't execute any commands that might do bad things or provide too much information. We suggest that directives like this not be included:
<!--#exec cmd="/bin/cat /etc/passwd"-->
On the other hand, SSI doesn't let the client do anything not specifically allowed by the server, so it's relatively harmless. But don't do anything stupid, anyway.