diff --git a/internal/recipe/loader.go b/internal/recipe/loader.go
index 8ccffc6..812ffaa 100644
--- a/internal/recipe/loader.go
+++ b/internal/recipe/loader.go
@@ -75,9 +75,13 @@ func Load(path string, userParams map[string]any) (*Recipe, error) {
 	safeMap := safeCommands()
 	for _, cmd := range r.AllowedShellCommands {
 		trimmed := strings.ToLower(strings.TrimSpace(cmd))
+
 		allowed := false
 		for safe := range safeMap {
-			if strings.HasPrefix(trimmed, safe) {
+			safeTrim := strings.ToLower(strings.TrimSpace(safe))
+
+			// Match exact command OR command followed by space + arguments
+			if trimmed == safeTrim || strings.HasPrefix(trimmed, safeTrim+" ") {
 				allowed = true
 				break
 			}