diff --git a/daemon/lua/sandbox.lua.in b/daemon/lua/sandbox.lua.in
index 6cdaaa51a0b2b198843eaf984bf501b586c9ef73..60c71ac7d2a6471e1ab189d0e212db290458fad0 100644
--- a/daemon/lua/sandbox.lua.in
+++ b/daemon/lua/sandbox.lua.in
@@ -446,8 +446,7 @@ modules.load('watchdog')
 -- Load keyfile_default
 trust_anchors.add_file('@keyfile_default@', @unmanaged@)
 
--- Interactive command evaluation
-function eval_cmd(line, raw)
+local function eval_cmd_compile(line, raw)
 	-- Compatibility sandbox code loading
 	local function load_code(code)
 	    if getfenv then -- Lua 5.1
@@ -461,6 +460,12 @@ function eval_cmd(line, raw)
 	if err then
 		chunk, err = load_code(line)
 	end
+	return chunk, err
+end
+
+-- Interactive command evaluation
+function eval_cmd(line, raw)
+	local chunk, err = eval_cmd_compile(line, raw)
 	if not err then
 		return chunk()
 	else
@@ -661,18 +666,25 @@ function map(cmd, format)
 	if (format ~= 'luaobj' and format ~= 'strings') then
 		panic('map() output format must be luaobj or strings') end
 
+	-- find out control socket paths
 	for _,v in pairs(net.list()) do
 		if (v['kind'] == 'control') and (v['transport']['family'] == 'unix') then
 			table.insert(local_sockets, string.match(v['transport']['path'], '^.*/([^/]+)$'))
 		end
 	end
-
 	local filetab = kluautil.list_dir(worker.control_path)
 	if next(filetab) == nil then
 		panic('no control sockets found in directory %s',
 			worker.control_path)
 	end
 
+	-- validate input command to detect typos early
+	local chunk, err = eval_cmd_compile(cmd, false)
+	if not chunk then
+		panic('failure when compiling map() command: %s', err)
+	end
+
+	-- finally execute it on all instances
 	for _,file in ipairs(filetab) do
 		local local_exec = false
 		for _,lsoc in ipairs(local_sockets) do