diff --git a/bin/lib/credentials.js b/bin/lib/credentials.js
index 67cf01dfe5..523b21b1aa 100644
--- a/bin/lib/credentials.js
+++ b/bin/lib/credentials.js
@@ -4,7 +4,7 @@
 const fs = require("fs");
 const path = require("path");
 const readline = require("readline");
-const { execSync } = require("child_process");
+const { execFileSync } = require("child_process");
 
 const CREDS_DIR = path.join(process.env.HOME || "/tmp", ".nemoclaw");
 const CREDS_FILE = path.join(CREDS_DIR, "credentials.json");
@@ -174,7 +174,10 @@ async function ensureApiKey() {
 
 function isRepoPrivate(repo) {
   try {
-    const json = execSync(`gh api repos/${repo} --jq .private 2>/dev/null`, { encoding: "utf-8" }).trim();
+    const json = execFileSync("gh", ["api", `repos/${repo}`, "--jq", ".private"], {
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "ignore"],
+    }).trim();
     return json === "true";
   } catch {
     return false;
@@ -189,7 +192,10 @@ async function ensureGithubToken() {
   }
 
   try {
-    token = execSync("gh auth token 2>/dev/null", { encoding: "utf-8" }).trim();
+    token = execFileSync("gh", ["auth", "token"], {
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "ignore"],
+    }).trim();
     if (token) {
       process.env.GITHUB_TOKEN = token;
       return;