diff --git a/eh/src/main.rs b/eh/src/main.rs
index 6369154..13c29f4 100644
--- a/eh/src/main.rs
+++ b/eh/src/main.rs
@@ -36,6 +36,12 @@ fn dispatch_multicall(
   args: std::env::Args,
 ) -> Option<Result<i32>> {
   let rest: Vec<String> = args.collect();
+  
+  // Validate arguments before processing
+  if let Err(e) = util::validate_nix_args(&rest) {
+    return Some(Err(e));
+  }
+  
   let hash_extractor = util::RegexHashExtractor;
   let fixer = util::DefaultNixFileFixer;
   let classifier = util::DefaultNixErrorClassifier;
diff --git a/eh/src/util.rs b/eh/src/util.rs
index 9896e18..f452296 100644
--- a/eh/src/util.rs
+++ b/eh/src/util.rs
@@ -174,7 +174,7 @@ fn pre_evaluate(_subcommand: &str, args: &[String]) -> Result<bool> {
   Ok(false)
 }
 
-fn validate_nix_args(args: &[String]) -> Result<()> {
+pub fn validate_nix_args(args: &[String]) -> Result<()> {
   const DANGEROUS_PATTERNS: &[&str] = &[
     ";", "&&", "||", "|", "`", "$(", "${", ">", "<", ">>", "<<", "2>", "2>>",
   ];