diff --git a/hermes_cli/web_server.py b/hermes_cli/web_server.py
index 300cfef4a5..353fc8e608 100644
--- a/hermes_cli/web_server.py
+++ b/hermes_cli/web_server.py
@@ -3780,12 +3780,22 @@ async def post_agent_plugin_install(request: Request, body: _AgentPluginInstallB
             detail=result.get("error") or "Install failed.",
         )
     _get_dashboard_plugins(force_rescan=True)
+    # Strip internal paths from the response
+    result.pop("after_install_path", None)
     return result
 
 
+def _validate_plugin_name(name: str) -> str:
+    """Reject path-traversal attempts in plugin name URL parameters."""
+    if not name or "/" in name or "\\" in name or ".." in name:
+        raise HTTPException(status_code=400, detail="Invalid plugin name.")
+    return name
+
+
 @app.post("/api/dashboard/agent-plugins/{name}/enable")
 async def post_agent_plugin_enable(request: Request, name: str):
     _require_token(request)
+    name = _validate_plugin_name(name)
     from hermes_cli.plugins_cmd import dashboard_set_agent_plugin_enabled
 
     result = dashboard_set_agent_plugin_enabled(name, enabled=True)
@@ -3797,6 +3807,7 @@ async def post_agent_plugin_enable(request: Request, name: str):
 @app.post("/api/dashboard/agent-plugins/{name}/disable")
 async def post_agent_plugin_disable(request: Request, name: str):
     _require_token(request)
+    name = _validate_plugin_name(name)
     from hermes_cli.plugins_cmd import dashboard_set_agent_plugin_enabled
 
     result = dashboard_set_agent_plugin_enabled(name, enabled=False)
@@ -3808,6 +3819,7 @@ async def post_agent_plugin_disable(request: Request, name: str):
 @app.post("/api/dashboard/agent-plugins/{name}/update")
 async def post_agent_plugin_update(request: Request, name: str):
     _require_token(request)
+    name = _validate_plugin_name(name)
     from hermes_cli.plugins_cmd import dashboard_update_user_plugin
 
     result = dashboard_update_user_plugin(name)
@@ -3820,6 +3832,7 @@ async def post_agent_plugin_update(request: Request, name: str):
 @app.delete("/api/dashboard/agent-plugins/{name}")
 async def delete_agent_plugin(request: Request, name: str):
     _require_token(request)
+    name = _validate_plugin_name(name)
     from hermes_cli.plugins_cmd import dashboard_remove_user_plugin
 
     result = dashboard_remove_user_plugin(name)
diff --git a/nix/tui.nix b/nix/tui.nix
index 7453fa2673..4d27dde798 100644
--- a/nix/tui.nix
+++ b/nix/tui.nix
@@ -4,7 +4,7 @@ let
   src = ../ui-tui;
   npmDeps = pkgs.fetchNpmDeps {
     inherit src;
-    hash = "sha256-Chz+NW9NXqboXHOa6PKwf5bhAkkcFtKNhvKWwg2XSPc=";
+    hash = "sha256-a/HGI9OgVcTnZrMXA7xFMGnFoVxyHe95fulVz+WNYB0=";
   };
 
   npm = hermesNpmLib.mkNpmPassthru { folder = "ui-tui"; attr = "tui"; pname = "hermes-tui"; };