Currently there are no check done on the module and function names of security policies. Admin UI expects these to be limited to \w+ in route parameters.

There is no documentation the states these character limitations but looking at the source it seems to be the wanted behavior.