diff --git a/scripts/run-discord-scrape-host.sh b/scripts/run-discord-scrape-host.sh
index 511bb17f..94eab4da 100755
--- a/scripts/run-discord-scrape-host.sh
+++ b/scripts/run-discord-scrape-host.sh
@@ -44,10 +44,33 @@ require_program() {
 
 load_env_file() {
   [[ -f "$ENV_FILE" ]] || die "Missing env file: $ENV_FILE"
-  set -a
-  # shellcheck disable=SC1090
-  source "$ENV_FILE"
-  set +a
+  local raw_line line key value
+
+  while IFS= read -r raw_line || [[ -n "$raw_line" ]]; do
+    line=$(printf '%s' "$raw_line" | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//')
+    [[ -n "$line" ]] || continue
+    if [[ "$line" == \#* ]]; then
+      continue
+    fi
+    if [[ "$line" == export\ * ]]; then
+      line=${line#export }
+      line=$(printf '%s' "$line" | sed -E 's/^[[:space:]]+//')
+    fi
+
+    [[ "$line" =~ ^[A-Za-z_][A-Za-z0-9_]*= ]] || die "Invalid env assignment in $ENV_FILE: $raw_line"
+
+    key=${line%%=*}
+    value=${line#*=}
+
+    if [[ "$value" =~ ^\".*\"$ ]]; then
+      value=${value:1:${#value}-2}
+    elif [[ "$value" =~ ^\'.*\'$ ]]; then
+      value=${value:1:${#value}-2}
+    fi
+
+    printf -v "$key" '%s' "$value"
+    export "$key"
+  done <"$ENV_FILE"
 }
 
 load_token_from_file() {
diff --git a/scripts/tests/run-discord-scrape-host-smoke.sh b/scripts/tests/run-discord-scrape-host-smoke.sh
index eaf307d6..943ec2ea 100755
--- a/scripts/tests/run-discord-scrape-host-smoke.sh
+++ b/scripts/tests/run-discord-scrape-host-smoke.sh
@@ -55,17 +55,30 @@ EOF
 chmod +x "$FAKE_DOCKER"
 
 run_host() {
+  local mode=$1
+  local env_path=${2:-$ENV_FILE}
+
   DCE_REPO_ROOT="$REPO_ROOT" \
   DCE_DOCKER_BIN="$FAKE_DOCKER" \
-  DCE_ENV_FILE="$ENV_FILE" \
+  DCE_ENV_FILE="$env_path" \
   DCE_COMPOSE_FILE="$COMPOSE_FILE" \
   FAKE_DOCKER_CALL_COUNT="$CALL_COUNT" \
   FAKE_DOCKER_TOKEN_FILE="$TOKEN_FILE" \
-  FAKE_DOCKER_MODE="$1" \
+  FAKE_DOCKER_MODE="$mode" \
   "$REPO_ROOT/scripts/run-discord-scrape-host.sh" scrape --target demo
 }
 
+MALICIOUS_ENV="$TMP_DIR/malicious.env"
+MARKER_FILE="$TMP_DIR/marker"
+cat >"$MALICIOUS_ENV" <<EOF
+DISCORD_TOKEN=dummy
+MALICIOUS=\$(touch "$MARKER_FILE")
+EOF
+run_host success "$MALICIOUS_ENV" >/dev/null
+[[ ! -e "$MARKER_FILE" ]] || { echo "env parsing executed shell payload unexpectedly" >&2; exit 1; }
+
 printf 'stale-token\n' >"$TOKEN_FILE"
+printf '0' >"$CALL_COUNT"
 cat >"$ENV_FILE" <<EOF
 DISCORD_TOKEN_FILE=$TOKEN_FILE
 EOF