diff --git a/builtin/roles/init/init-os/tasks/init_repository.yaml b/builtin/roles/init/init-os/tasks/init_repository.yaml
index ea80cd0fb..b4758423e 100644
--- a/builtin/roles/init/init-os/tasks/init_repository.yaml
+++ b/builtin/roles/init/init-os/tasks/init_repository.yaml
@@ -31,7 +31,7 @@
           mkdir -p /etc/apt/sources.list.d
           # add repository
           rm -rf /etc/apt/sources.list.d/*
-          echo 'deb [trusted=yes]  file://tmp/kubekey/iso /' > /etc/apt/sources.list.d/kubekey.list
+          echo 'deb [trusted=yes]  file:///tmp/kubekey/iso /' > /etc/apt/sources.list.d/kubekey.list
           # update repository
           apt-get update
           # install
diff --git a/pkg/connector/local_connector.go b/pkg/connector/local_connector.go
index 533e20ed0..4ebd68d26 100644
--- a/pkg/connector/local_connector.go
+++ b/pkg/connector/local_connector.go
@@ -97,7 +97,7 @@ func (c *localConnector) ExecuteCommand(ctx context.Context, cmd string) ([]byte
 	klog.V(5).InfoS("exec local command", "cmd", cmd)
 	// find command interpreter in env. default /bin/bash
 
-	command := c.Cmd.CommandContext(ctx, "sudo", "-E", localShell, "-c", cmd)
+	command := c.Cmd.CommandContext(ctx, "sudo", "-E", localShell, "-c", "\"", cmd, "\"")
 	if c.Password != "" {
 		command.SetStdin(bytes.NewBufferString(c.Password + "\n"))
 	}
diff --git a/pkg/connector/ssh_connector.go b/pkg/connector/ssh_connector.go
index 112d0ac72..51ffe184b 100644
--- a/pkg/connector/ssh_connector.go
+++ b/pkg/connector/ssh_connector.go
@@ -24,6 +24,7 @@ import (
 	"io"
 	"io/fs"
 	"os"
+	"os/exec"
 	"os/user"
 	"path/filepath"
 	"strings"
@@ -234,7 +235,7 @@ func (c *sshConnector) FetchFile(_ context.Context, src string, dst io.Writer) e
 }
 
 // ExecuteCommand in remote host
-func (c *sshConnector) ExecuteCommand(_ context.Context, cmd string) ([]byte, error) {
+func (c *sshConnector) ExecuteCommand(ctx context.Context, cmd string) ([]byte, error) {
 	klog.V(5).InfoS("exec ssh command", "cmd", cmd, "host", c.Host)
 	// create ssh session
 	session, err := c.client.NewSession()
@@ -245,7 +246,8 @@ func (c *sshConnector) ExecuteCommand(_ context.Context, cmd string) ([]byte, er
 	}
 	defer session.Close()
 
-	cmd = fmt.Sprintf("sudo -E %s -c \"%q\"", c.shell, cmd)
+	//nolint:gosec
+	command := exec.CommandContext(ctx, "sudo", "-E", c.shell, "-c", "\"", cmd, "\"")
 	// get pipe from session
 	stdin, _ := session.StdinPipe()
 	stdout, _ := session.StdoutPipe()
@@ -255,7 +257,7 @@ func (c *sshConnector) ExecuteCommand(_ context.Context, cmd string) ([]byte, er
 		return nil, err
 	}
 	// Start the remote command
-	if err := session.Start(cmd); err != nil {
+	if err := session.Start(command.String()); err != nil {
 		return nil, err
 	}
 	if c.Password != "" {