diff --git a/ceru/subcmds/new/ssh-key b/ceru/subcmds/new/ssh-key
index abf0c1d..e4ce324 100755
--- a/ceru/subcmds/new/ssh-key
+++ b/ceru/subcmds/new/ssh-key
@@ -100,8 +100,9 @@ if [[ -n "$COMMENT" ]]; then
 	EXTRA="$EXTRA -C '$COMMENT'"
 fi
 
+# BUG: WARNING: $OUT permits arbitrary command injection
 if [[ -n "$OUT" ]]; then
-	EXTRA="$EXTRA -f '$OUT'"
+	EXTRA="$EXTRA -f $OUT"
 fi
 
 if [[ "$NOPASSWD" == true ]]; then
@@ -109,13 +110,18 @@ if [[ "$NOPASSWD" == true ]]; then
 fi
 
 if [[ "$HWKEY" == true ]]; then
+	if [[ "$TYPE" == "rsa" ]]; then
+		echo -e "${BOLD}${RED}-H|--hardware-key${RESET} flag is not valid for ${BOLD}${MAGENTA}rsa${RESET} keys ${BOLD}${CYAN}(use ed25519 instead)${RESET}"
+		exit 1
+	fi
 	TYPE="$TYPE-sk"
 fi
 
 # permit error during key generation
 set +e
-ssh-keygen -t "$TYPE" -a "$ROUNDS" $EXTRA
+echo -e "${BOLD}${GREEN}[+] ssh-keygen -t $TYPE -a '$ROUNDS' $EXTRA${RESET}"
+ssh-keygen -t $TYPE -a "$ROUNDS" $EXTRA
 
 # reset state
 set -e
-unset TYPE ROUNDS COMMENT OUT NOPASSWD EXTRA
+unset TYPE ROUNDS COMMENT OUT NOPASSWD HWKEY EXTRA