diff --git a/tools/etcd-dump-metrics/etcd.go b/tools/etcd-dump-metrics/etcd.go
index 2939b60c2..ceb089a6c 100644
--- a/tools/etcd-dump-metrics/etcd.go
+++ b/tools/etcd-dump-metrics/etcd.go
@@ -62,12 +62,22 @@ func setupEmbedCfg(cfg *embed.Config, curls, purls, ics []url.URL) {
 	cfg.InitialCluster = cfg.InitialCluster[1:]
 }
 
-func getCommand(exec, name, dir, cURL, pURL, cluster string) string {
-	s := fmt.Sprintf("%s --name %s --data-dir %s --listen-client-urls %s --advertise-client-urls %s ",
-		exec, name, dir, cURL, cURL)
-	s += fmt.Sprintf("--listen-peer-urls %s --initial-advertise-peer-urls %s ", pURL, pURL)
-	s += fmt.Sprintf("--initial-cluster %s ", cluster)
-	return s + "--initial-cluster-token tkn --initial-cluster-state new"
+func getCommand(exec, name, dir, cURL, pURL, cluster string) (args []string) {
+	if !strings.Contains(exec, "etcd") {
+		panic(fmt.Errorf("%q doesn't seem like etcd binary", exec))
+	}
+	return []string{
+		exec,
+		"--name", name,
+		"--data-dir", dir,
+		"--listen-client-urls", cURL,
+		"--advertise-client-urls", cURL,
+		"--listen-peer-urls", pURL,
+		"--initial-advertise-peer-urls", pURL,
+		"--initial-cluster", cluster,
+		"--initial-cluster-token=tkn",
+		"--initial-cluster-state=new",
+	}
 }
 
 func write(ep string) {
diff --git a/tools/etcd-dump-metrics/install_linux.go b/tools/etcd-dump-metrics/install_linux.go
index 0c6fc9707..1d0f52627 100644
--- a/tools/etcd-dump-metrics/install_linux.go
+++ b/tools/etcd-dump-metrics/install_linux.go
@@ -47,7 +47,8 @@ func install(ver, dir string) (string, error) {
 		return "", err
 	}
 
-	if err = exec.Command("bash", "-c", fmt.Sprintf("tar xzvf %s -C %s --strip-components=1", tarPath, dir)).Run(); err != nil {
+	// parametrizes to prevent attackers from adding arbitrary OS commands
+	if err = exec.Command("tar", "xzvf", tarPath, "-C", dir, "--strip-components=1").Run(); err != nil {
 		return "", err
 	}
 	return filepath.Join(dir, "etcd"), nil
diff --git a/tools/etcd-dump-metrics/main.go b/tools/etcd-dump-metrics/main.go
index 0648c8b2b..9e0aeec8e 100644
--- a/tools/etcd-dump-metrics/main.go
+++ b/tools/etcd-dump-metrics/main.go
@@ -87,7 +87,7 @@ func main() {
 			rc := make(chan run)
 
 			cs1 := getCommand(bp, "s1", d1, "http://localhost:2379", "http://localhost:2380", cluster)
-			cmd1 := exec.Command("bash", "-c", cs1)
+			cmd1 := exec.Command(cs1[0], cs1[1:]...)
 			go func() {
 				if *debug {
 					cmd1.Stderr = os.Stderr
@@ -101,7 +101,7 @@ func main() {
 				rc <- run{cmd: cmd1}
 			}()
 			cs2 := getCommand(bp, "s2", d2, "http://localhost:22379", "http://localhost:22380", cluster)
-			cmd2 := exec.Command("bash", "-c", cs2)
+			cmd2 := exec.Command(cs2[0], cs2[1:]...)
 			go func() {
 				if *debug {
 					cmd2.Stderr = os.Stderr