diff --git a/lib/kamal/secrets/adapters/bitwarden.rb b/lib/kamal/secrets/adapters/bitwarden.rb
index 42fad2e89..37717ef55 100644
--- a/lib/kamal/secrets/adapters/bitwarden.rb
+++ b/lib/kamal/secrets/adapters/bitwarden.rb
@@ -4,7 +4,7 @@ def login(account)
       status = run_command("status")
 
       if status["status"] == "unauthenticated"
-        run_command("login #{account}")
+        run_command("login #{account.shellescape}", raw: true)
         status = run_command("status")
       end
 
@@ -24,7 +24,7 @@ def login(account)
     def fetch_from_vault(secrets, account:, session:)
       {}.tap do |results|
         items_fields(secrets).each do |item, fields|
-          item_json = run_command("get item #{item}", session: session, raw: true)
+          item_json = run_command("get item #{item.shellescape}", session: session, raw: true)
           raise RuntimeError, "Could not read #{secret} from Bitwarden" unless $?.success?
           item_json = JSON.parse(item_json)
 
@@ -57,7 +57,7 @@ def signedin?(account)
     end
 
     def run_command(command, session: nil, raw: false)
-      full_command = [ *("BW_SESSION=#{session}" if session), "bw", command ].join(" ")
+      full_command = [ *("BW_SESSION=#{session.shellescape}" if session), "bw", command ].join(" ")
       result = `#{full_command}`.strip
       raw ? result : JSON.parse(result)
     end
diff --git a/lib/kamal/secrets/adapters/last_pass.rb b/lib/kamal/secrets/adapters/last_pass.rb
index ab46e2cda..dd4dd06a5 100644
--- a/lib/kamal/secrets/adapters/last_pass.rb
+++ b/lib/kamal/secrets/adapters/last_pass.rb
@@ -2,7 +2,7 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
   private
     def login(account)
       unless loggedin?(account)
-        `lpass login #{account}`
+        `lpass login #{account.shellescape}`
         raise RuntimeError, "Failed to login to 1Password" unless $?.success?
       end
     end
@@ -12,7 +12,7 @@ def loggedin?(account)
     end
 
     def fetch_from_vault(secrets, account:, session:)
-      items = `lpass show #{secrets.join(" ")} --json`
+      items = `lpass show #{secrets.map(&:shellescape).join(" ")} --json`
       raise RuntimeError, "Could not read #{secrets} from 1Password" unless $?.success?
 
       items = JSON.parse(items)
diff --git a/lib/kamal/secrets/adapters/one_password.rb b/lib/kamal/secrets/adapters/one_password.rb
index 9b68ca689..02287a385 100644
--- a/lib/kamal/secrets/adapters/one_password.rb
+++ b/lib/kamal/secrets/adapters/one_password.rb
@@ -11,7 +11,7 @@ def login(account)
     end
 
     def loggedin?(account)
-      `op account get --account #{account}`
+      `op account get --account #{account.shellescape}`
       $?.success?
     end
 
@@ -54,7 +54,7 @@ def op_item_get(vault, item, fields, account:, session:)
       labels = fields.map { |field| "label=#{field}" }.join(",")
       options = to_options(vault: vault, fields: labels, format: "json", account: account, session: session.presence)
 
-      `op item get #{item} #{options}`.tap do
+      `op item get #{item.shellescape} #{options}`.tap do
         raise RuntimeError, "Could not read #{fields.join(", ")} from #{item} in the #{vault} 1Password vault" unless $?.success?
       end
     end