diff --git a/commands/download.php b/commands/download.php
index b42b805..995f9cc 100755
--- a/commands/download.php
+++ b/commands/download.php
@@ -20,6 +20,7 @@
 	'command' => static function (CLI $cli): void {
 		$client   = new Client();
 		$progress = $cli->progress()->total(100);
+		$file     = $cli->arg('file');
 
 		try {
 			$response = $client->get($cli->arg('url'), [
@@ -35,7 +36,7 @@
 				},
 			]);
 
-			file_put_contents($cli->arg('file'), (string)$response->getBody());
+			file_put_contents($file, (string)$response->getBody());
 		} catch (Throwable $e) {
 			throw new Exception('The file could not be downloaded. (Status: ' . $e->getResponse()->getStatusCode() . ')');
 		}
diff --git a/commands/unzip.php b/commands/unzip.php
index 067272f..8b25d53 100755
--- a/commands/unzip.php
+++ b/commands/unzip.php
@@ -29,7 +29,7 @@
 		}
 
 		// extract the zip file
-		exec('unzip ' . $file . ' -d ' . $to);
+		exec('unzip ' . escapeshellarg($file) . ' -d ' . escapeshellarg($to));
 
 		$to = realpath($to);
 
@@ -40,7 +40,7 @@
 			throw new Exception('The archive directory could not be found');
 		}
 
-		exec('mv ' . $to . '/*/{.[!.],}* ' . $to . '/');
-		exec('rm -rf ' . $archive);
+		exec('mv ' . escapeshellarg($to) . '/*/{.[!.],}* ' . escapeshellarg($to) . '/');
+		exec('rm -rf ' . escapeshellarg($archive));
 	}
 ];