diff --git a/scripts/install-vault-pass.sh b/scripts/install-vault-pass.sh
index d546591..ebba4e9 100755
--- a/scripts/install-vault-pass.sh
+++ b/scripts/install-vault-pass.sh
@@ -189,6 +189,26 @@ download_from_url() {
   echo "Downloaded vault password file to: $DEST"
 }
 
+read_zip_password_file() {
+  # Bash strings cannot contain NUL bytes. Detect likely binary/invalid password
+  # files before command substitution so agents do not hit:
+  #   warning: command substitution: ignored null byte in input
+  original_size="$(wc -c < "$VAULT_PASS_ZIP_PASSWORD_FILE" | tr -d '[:space:]')"
+  without_nul_size="$(LC_ALL=C tr -d '\000' < "$VAULT_PASS_ZIP_PASSWORD_FILE" | wc -c | tr -d '[:space:]')"
+  if [ "$original_size" != "$without_nul_size" ]; then
+    echo "VAULT_PASS_ZIP_PASSWORD_FILE appears to contain NUL bytes; provide a text password file instead." >&2
+    exit 4
+  fi
+
+  # Accept the first line and strip a trailing CR for files copied from Windows.
+  IFS= read -r zip_pass < "$VAULT_PASS_ZIP_PASSWORD_FILE" || true
+  zip_pass="${zip_pass%$'\r'}"
+  if [ -z "$zip_pass" ]; then
+    echo "VAULT_PASS_ZIP_PASSWORD_FILE is empty: $VAULT_PASS_ZIP_PASSWORD_FILE" >&2
+    exit 4
+  fi
+}
+
 extract_from_archive() {
   require_cmd unzip
   ensure_dest_dir
@@ -210,7 +230,7 @@ ERR
       echo "Missing VAULT_PASS_ZIP_PASSWORD_FILE: $VAULT_PASS_ZIP_PASSWORD_FILE" >&2
       exit 4
     fi
-    zip_pass="$(cat "$VAULT_PASS_ZIP_PASSWORD_FILE")"
+    read_zip_password_file
     unzip -P "$zip_pass" -q "$ARCHIVE" -d "$tmpdir"
   elif [ -n "${VAULT_PASS_ZIP_PASSWORD:-}" ]; then
     unzip -P "$VAULT_PASS_ZIP_PASSWORD" -q "$ARCHIVE" -d "$tmpdir"