diff --git a/bin/subsplit-worker.php b/bin/subsplit-worker.php
index 11573d5..40e4b05 100644
--- a/bin/subsplit-worker.php
+++ b/bin/subsplit-worker.php
@@ -74,8 +74,8 @@
     }
 
     $command = implode(' && ', array(
-        sprintf('cd %s', $projectWorkingDirectory),
-        sprintf('( git subsplit init %s || true )', $repositoryUrl),
+        sprintf('cd %s', escapeshellarg($projectWorkingDirectory)),
+        sprintf('( git subsplit init %s || true )', escapeshellarg($repositoryUrl)),
         'git subsplit update',
         implode(' ', $publishCommand)
     ));