diff --git a/.github/workflows/integrity-check.yml b/.github/workflows/integrity-check.yml
index 3ed2a4c3..b46fad84 100644
--- a/.github/workflows/integrity-check.yml
+++ b/.github/workflows/integrity-check.yml
@@ -4,6 +4,9 @@ on:
   push: { branches: [main] }
   pull_request: {}
 
+permissions:
+  contents: read
+
 env:
   CODECOV_TOKEN: '2f2eb890-30e2-4724-83eb-7633832cf0de'
 
diff --git a/package.json b/package.json
index 1f123aa3..38b35245 100644
--- a/package.json
+++ b/package.json
@@ -50,6 +50,7 @@
     "nanoid": "^3.3.1",
     "reflect-metadata": "^0.1.13",
     "semver": "^7.5.2",
+    "shell-quote": "^1.8.3",
     "ts-md5": "^1.3.1",
     "unity-changeset": "^2.0.0",
     "uuid": "^9.0.0",
diff --git a/src/model/cloud-runner/providers/local/index.ts b/src/model/cloud-runner/providers/local/index.ts
index c8822f53..f9908a13 100644
--- a/src/model/cloud-runner/providers/local/index.ts
+++ b/src/model/cloud-runner/providers/local/index.ts
@@ -6,6 +6,7 @@ import { ProviderInterface } from '../provider-interface';
 import CloudRunnerSecret from '../../options/cloud-runner-secret';
 import { ProviderResource } from '../provider-resource';
 import { ProviderWorkflow } from '../provider-workflow';
+import { quote } from 'shell-quote';
 
 class LocalCloudRunner implements ProviderInterface {
   listResources(): Promise<ProviderResource[]> {
@@ -69,12 +70,12 @@ class LocalCloudRunner implements ProviderInterface {
     // On Windows, many built-in hooks use POSIX shell syntax. Execute via bash if available.
     if (process.platform === 'win32') {
       const inline = commands
-        .replace(/"/g, '\\"')
         .replace(/\r/g, '')
         .split('\n')
         .filter((x) => x.trim().length > 0)
         .join(' ; ');
-      const bashWrapped = `bash -lc "${inline}"`;
+      // Use shell-quote to properly escape the command string, preventing command injection
+      const bashWrapped = `bash -lc ${quote([inline])}`;
       return await CloudRunnerSystem.Run(bashWrapped);
     }
 
diff --git a/yarn.lock b/yarn.lock
index 95e4c0f7..aea0a0c3 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -7016,6 +7016,11 @@ shebang-regex@^3.0.0:
   resolved "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz"
   integrity sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==
 
+shell-quote@^1.8.3:
+  version "1.8.3"
+  resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.8.3.tgz#55e40ef33cf5c689902353a3d8cd1a6725f08b4b"
+  integrity sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==
+
 shelljs@^0.8.2, shelljs@^0.8.5:
   version "0.8.5"
   resolved "https://registry.npmjs.org/shelljs/-/shelljs-0.8.5.tgz"