The local variables list is a potential security hole, exposing the user to "Trojan horse" attacks. Imagine a variable setting that causes Emacs to behave in an unexpected way; or an eval that has unexpected side-effects, like deleting files or forging email in your name. All an attacker has to do is entice you to visit a file with such a setting in its local variables list. As soon as you visit the file, the code is executed.

The way to protect yourself is to put

(setq enable-local-variables 'query)

in your .emacs. This causes Emacs to present any local variables list to you for inspection before executing it. There's also enable-local-eval, specifically controlling the eval pseudovariable.