diff --git a/backend/app/api/skills_marketplace.py b/backend/app/api/skills_marketplace.py
index 0a8c0537..3cd0040b 100644
--- a/backend/app/api/skills_marketplace.py
+++ b/backend/app/api/skills_marketplace.py
@@ -687,7 +687,12 @@ def _sanitize_field(value: str) -> str:
     Prevents prompt injection via skill name or URL fields that could
     break out of the structured data section into the instruction section.
     """
-    return value.replace("\n", " ").replace("\r", " ").strip()
+    sanitized = "".join(
+        ch if ch.isprintable() and ch not in {"\n", "\r"} else " " for ch in value
+    )
+    # Normalize any runs of whitespace (including tabs) down to single spaces.
+    sanitized = re.sub(r"\s+", " ", sanitized)
+    return sanitized.strip()
 
 
 def _install_instruction(*, skill: MarketplaceSkill, gateway: Gateway) -> str: