diff --git a/plugin/src/main/java/me/libraryaddict/disguise/commands/utils/GrabHeadCommand.java b/plugin/src/main/java/me/libraryaddict/disguise/commands/utils/GrabHeadCommand.java
index d22a30a3..2b34008d 100644
--- a/plugin/src/main/java/me/libraryaddict/disguise/commands/utils/GrabHeadCommand.java
+++ b/plugin/src/main/java/me/libraryaddict/disguise/commands/utils/GrabHeadCommand.java
@@ -55,7 +55,7 @@ public class GrabHeadCommand implements CommandExecutor {
         String usable = SkinUtils.getUsableStatus();
 
         if (usable != null) {
-            sender.sendMessage(usable);
+            DisguiseUtilities.sendMessage(sender, usable);
             return true;
         }
 
diff --git a/plugin/src/main/java/me/libraryaddict/disguise/commands/utils/GrabSkinCommand.java b/plugin/src/main/java/me/libraryaddict/disguise/commands/utils/GrabSkinCommand.java
index 88a9ee78..024d59c6 100644
--- a/plugin/src/main/java/me/libraryaddict/disguise/commands/utils/GrabSkinCommand.java
+++ b/plugin/src/main/java/me/libraryaddict/disguise/commands/utils/GrabSkinCommand.java
@@ -54,7 +54,7 @@ public class GrabSkinCommand implements CommandExecutor {
         String usable = SkinUtils.getUsableStatus();
 
         if (usable != null) {
-            sender.sendMessage(usable);
+            DisguiseUtilities.sendMessage(sender, usable);
             return true;
         }
 
@@ -73,7 +73,12 @@ public class GrabSkinCommand implements CommandExecutor {
             }
         }
 
-        String name = tName.toLowerCase(Locale.ROOT).endsWith(":slim") ? tName.substring(0, tName.lastIndexOf(":")) : tName;
+        String name = tName != null && tName.toLowerCase(Locale.ROOT).endsWith(":slim") ? tName.substring(0, tName.lastIndexOf(":")) : tName;
+
+        if (name != null && name.replaceAll("[_a-zA-Z \\d-@#]", "").length() > 0) {
+            LibsMsg.SKIN_API_INVALID_NAME.send(sender);
+            return true;
+        }
 
         SkinUtils.SkinCallback callback = new SkinUtils.SkinCallback() {
             private final BukkitTask runnable = new BukkitRunnable() {
diff --git a/plugin/src/main/java/me/libraryaddict/disguise/utilities/SkinUtils.java b/plugin/src/main/java/me/libraryaddict/disguise/utilities/SkinUtils.java
index 6e0500a9..d00193e2 100644
--- a/plugin/src/main/java/me/libraryaddict/disguise/utilities/SkinUtils.java
+++ b/plugin/src/main/java/me/libraryaddict/disguise/utilities/SkinUtils.java
@@ -176,8 +176,9 @@ public class SkinUtils {
                 return;
             }
 
-            File file =
-                new File(LibsDisguises.getInstance().getDataFolder(), "/Skins/" + param + (param.toLowerCase(Locale.ENGLISH).endsWith(".png") ? "" : ".png"));
+            File expectedFolder = new File(LibsDisguises.getInstance().getDataFolder(), "/Skins/");
+
+            File file = new File(expectedFolder, param + (param.toLowerCase(Locale.ENGLISH).endsWith(".png") ? "" : ".png"));
 
             if (!file.exists()) {
                 file = null;
@@ -186,6 +187,9 @@ public class SkinUtils {
                     callback.onError(LibsMsg.SKIN_API_BAD_FILE_NAME);
                     return;
                 }
+            } else if (!file.getParentFile().getAbsolutePath().equals(expectedFolder.getAbsolutePath())) {
+                callback.onError(LibsMsg.SKIN_API_INVALID_NAME);
+                return;
             }
 
             if (file != null) {