diff --git a/packages/dev/commands/plugin.ts b/packages/dev/commands/plugin.ts
index cd455fd..8d16452 100644
--- a/packages/dev/commands/plugin.ts
+++ b/packages/dev/commands/plugin.ts
@@ -91,6 +91,15 @@ export function registerPluginCommand(cli: CAC) {
 			"Manage bot plugins (install, postinstall)",
 		)
 		.action(async (action: string, name: string) => {
+			if (
+				!name ||
+				!/^(?:@[a-z0-9-*~][a-z0-9-*._~]*\/)?[a-z0-9-~][a-z0-9-._~]*$/.test(
+					name,
+				)
+			) {
+				console.error(pc.red(`\n❌ Invalid plugin name: ${name}`));
+				process.exit(1);
+			}
 			const fullName = name.startsWith("@") ? name : `@djs-core/${name}`;
 			const projectRoot = process.cwd();
 
@@ -118,7 +127,6 @@ export function registerPluginCommand(cli: CAC) {
 
 			const result = spawnSync("bun", ["add", fullName], {
 				stdio: "inherit",
-				shell: true,
 			});
 
 			if (result.status !== 0) {
diff --git a/plugins/plugin-prisma-sqlite/index.ts b/plugins/plugin-prisma-sqlite/index.ts
index fdb0cbe..3ec812e 100644
--- a/plugins/plugin-prisma-sqlite/index.ts
+++ b/plugins/plugin-prisma-sqlite/index.ts
@@ -66,7 +66,6 @@ export const prismaPlugin = definePlugin({
 				if (action === "generate") {
 					spawnSync("bunx", ["prisma", "generate"], {
 						stdio: "inherit",
-						shell: true,
 					});
 					process.exit(0);
 				}
@@ -74,7 +73,6 @@ export const prismaPlugin = definePlugin({
 				if (action === "push") {
 					spawnSync("bunx", ["prisma", "db", "push"], {
 						stdio: "inherit",
-						shell: true,
 					});
 					process.exit(0);
 				}