When using a ProxyCommand, it appears that the arguments to it are passed in an unsafe manner: % ssh -o ProxyCommand='nc %h %p' '$(not found)' zsh:1: command not found: not nc: you must specify the address/port couple of the remote endpoint ssh_exchange_identification: Connection closed by remote host This is not zsh specific (e.g. it happens with bash). One can resolve the immediate problem (which it turned out wasn't even the problem I was thinking of!) by attempting to quote %h: % ssh -o ProxyCommand='nc '\''%h'\'' %p' '$(not found)' nc: forward host lookup failed for remote endpoint $(not found): Name or service not known .. but obviously this will fail if someone is motivated: % ssh -o ProxyCommand='nc '\''%h'\'' %p' \''$(not found)'\' This doesn't seem ideal, but is probably not an issue in practice. Maybe it allows motivated users who have permission to run ssh as other users to execute code as them? Badly configured sudo rsync backup jobs? I noticed attempting to use an IPv6 literal with its surrounding square-brackets ([::1]), which isn't allowed anyway, and my zsh config rejects due to `setopt nomatch`.