diff --git a/hub/offboard-spoke.sh b/hub/offboard-spoke.sh
index 90b09d0..16c6ac9 100755
--- a/hub/offboard-spoke.sh
+++ b/hub/offboard-spoke.sh
@@ -58,6 +58,7 @@ echo ""
 
 read -rp "Spoke name to offboard: " SPOKE_NAME
 [ -n "$SPOKE_NAME" ] || die "Spoke name cannot be empty"
+[[ "$SPOKE_NAME" =~ ^[a-zA-Z0-9._-]+$ ]] || die "Invalid spoke name — use only letters, numbers, dots, underscores, hyphens."
 
 SPOKE_LINE=$(grep "^$SPOKE_NAME " "$REGISTRY" 2>/dev/null || true)
 [ -n "$SPOKE_LINE" ] || die "Spoke '$SPOKE_NAME' not found in registry."
diff --git a/spoke/setup-spoke.sh b/spoke/setup-spoke.sh
index f134b4c..dc153d8 100755
--- a/spoke/setup-spoke.sh
+++ b/spoke/setup-spoke.sh
@@ -176,6 +176,7 @@ CURRENT_HOSTNAME=$(hostname)
 echo -e "Current hostname: ${YELLOW}$CURRENT_HOSTNAME${NC}"
 read -rp "Enter a hostname for this spoke (e.g. rocky, gouda, camembert): " SPOKE_NAME
 SPOKE_NAME="${SPOKE_NAME:-$CURRENT_HOSTNAME}"
+[[ "$SPOKE_NAME" =~ ^[a-zA-Z0-9._-]+$ ]] || die "Spoke name '$SPOKE_NAME' contains invalid characters. Use only letters, numbers, dots, underscores, hyphens."
 hostnamectl set-hostname "$SPOKE_NAME"
 echo "$SPOKE_NAME" > /etc/hostname
 info "Hostname set to: $SPOKE_NAME"
@@ -243,12 +244,12 @@ if [[ "${DISABLE_PASS,,}" == "y" ]]; then
         warn "No key found at $KEY_PATH — skipping password auth disable to avoid lockout."
     else
         if grep -q "^PasswordAuthentication" "$SSHD_CONF"; then
-            sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONF"
+            sed -i "s|^PasswordAuthentication.*|PasswordAuthentication no|" "$SSHD_CONF"
         else
             echo "PasswordAuthentication no" >> "$SSHD_CONF"
         fi
         if grep -q "^PubkeyAuthentication" "$SSHD_CONF"; then
-            sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONF"
+            sed -i "s|^PubkeyAuthentication.*|PubkeyAuthentication yes|" "$SSHD_CONF"
         else
             echo "PubkeyAuthentication yes" >> "$SSHD_CONF"
         fi
@@ -297,13 +298,14 @@ info "Scanning for a free port on $HUB_HOST starting from $START_PORT..."
 
 find_free_port() {
     local start="$1"
-    for PORT in $(seq "$start" $((start + 99))); do
-        RESULT=$(sudo -u "$SPOKE_USER" ssh -i "$KEY_PATH" "$HUB_USER@$HUB_HOST" "ss -tlnp | grep :$PORT" 2>/dev/null || true)
-        if [ -z "$RESULT" ]; then
-            echo "$PORT"
+    local port result
+    for port in $(seq "$start" $((start + 99))); do
+        result=$(sudo -u "$SPOKE_USER" ssh -i "$KEY_PATH" "$HUB_USER@$HUB_HOST" "ss -tlnp | grep :$port" 2>/dev/null || true)
+        if [ -z "$result" ]; then
+            echo "$port"
             return 0
         fi
-        warn "Port $PORT is in use, trying next..."
+        warn "Port $port is in use, trying next..."
     done
     return 1
 }