Skip to content
shellmap

evalParse and execute a string as if it were a shell command across all 5 shells

Equivalents in every shell

Bashunix
eval "$cmd"

Bash builtin. Joins its arguments with spaces, then parses and runs the result as a shell line. Variables, expansions, redirections — all expanded a second time.

Zshunix
eval "$cmd"

Identical to bash.

Fishunix
eval $cmd

Fish builtin (deprecated in 3.0 but still functional). The modern fish recommendation is command substitution `($cmd)` or `string split` plus direct invocation.

PowerShellwindows
Invoke-Expression $cmd

Aliased as `iex`. Parses and runs a string as PowerShell. Same security model as `eval` — never pass untrusted input.

cmd.exewindows
call %cmd%

`call` re-parses variable references but does NOT do a second pass on aliases, redirections, or special chars. There is no true `eval` in cmd — for full re-parsing, drop to PowerShell `iex` or write a helper `.bat`.

Worked examples

Evaluate `ssh-agent` startup output to set env vars

Bash
eval "$(ssh-agent -s)"
Zsh
eval "$(ssh-agent -s)"
Fish
eval (ssh-agent -c | string collect)
PowerShell
ssh-agent | Out-String | Invoke-Expression

Build and run a command from variables

Bash
cmd="ls -la /tmp"; eval "$cmd"
PowerShell
$cmd = "Get-ChildItem -Force /tmp"; Invoke-Expression $cmd

Load shell config printed by a tool (rbenv, direnv, mise)

Bash
eval "$(rbenv init -)"
Zsh
eval "$(rbenv init - zsh)"
Fish
rbenv init - fish | source
PowerShell
rbenv init - powershell | Out-String | Invoke-Expression

Gotchas

  • `eval` with any user-controlled input is a command-injection vulnerability — `eval $name` where `$name` contains `; rm -rf ~` runs the destructive command. Always quote (`eval "$cmd"`) AND audit the source of the string.
  • Double expansion means quotes and backslashes need to be escaped *twice*. `eval echo \\"hi\\"` yields `hi`. This is famously hard to get right; prefer array-based command construction (`cmd=(ls -la /tmp); "${cmd[@]}"`) where possible.
  • Fish deprecates `eval` and recommends string-builtins. Modern fish patterns like `rbenv init - fish | source` avoid `eval` entirely by piping the script body into `source`.
  • PowerShell `Invoke-Expression` is the official equivalent and carries an explicit security warning in `Get-Help iex` — the language even has an analyzer rule (`PSAvoidUsingInvokeExpression`) that flags its use.
  • `call %cmd%` in cmd does NOT behave like `eval` — it expands `%var%` once but treats the result as a single command, not a script line. Pipes, redirections, and `&&` inside `%cmd%` are passed literally and almost never work.

WSL & PowerShell Core notes

pwsh`Invoke-Expression` (`iex`) is identical on Windows and Unix pwsh. PSScriptAnalyzer's `PSAvoidUsingInvokeExpression` rule fires on both platforms — the recommended cross-platform pattern is to build commands as call-operator invocations with argument arrays (`& $cmd @args`) rather than string-eval.
WSLInside WSL `eval` is the bash builtin and behaves identically to native Linux. The common cross-shell pattern `eval "$(wsl.exe -e bash -c 'rbenv init -')"` works from pwsh, but pwsh receives the output with CRLF line endings — pipe through `tr -d '\r'` (or use `wsl.exe --no-distribution` quoting) before `eval` to avoid parse errors.

Common tasks using eval

Related commands