yes you are right shell injection flags those characters.
Protect Against Code Injection & sql attacks assertions are a set of regular expressions run against the message body, URL, and attachments and it looks like its not possible to customize the regex matches for the protection assertions.
you can use reg-ex assertion and write your own pattern according to the requirement and use this regex assertion rather than the std sql attack assertion.