diff --git a/.github/workflows/security-update.yml b/.github/workflows/security-update.yml
deleted file mode 100644
index 93b2b32..0000000
--- a/.github/workflows/security-update.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-name: security-update
-on:
-  workflow_call:
-    inputs:
-      cve-list:
-        description: List of comma separated CVEs.
-        required: false
-        default: ""
-        type: string
-  workflow_dispatch:
-    inputs:
-      cve-list:
-        description: List of comma separated CVEs.
-        required: false
-        default: ""
-        type: string
-jobs:
-  bump-patch:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Generate bot token
-        uses: actions/create-github-app-token@v1
-        id: bot-token
-        with:
-          app-id: ${{ vars.AUTO_UPDATE_BOT_APP_ID }}
-          private-key: ${{ secrets.AUTO_UPDATE_BOT_APP_PRIVATE_KEY }}
-
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.bot-token.outputs.token }}
-          persist-credentials: true
-
-      - name: Install python3-semantic-version
-        run: sudo apt-get install -y python3-semantic-version
-
-      - name: Configure Git
-        run: |
-          git config user.name ${{ vars.AUTO_UPDATE_BOT_USERNAME }}
-          git config user.email ${{ vars.AUTO_UPDATE_BOT_EMAIL }}
-
-      - name: Get tag for latest release
-        id: get-latest-tag
-        run: |
-          latest_release_tag="$(gh api repos/${GITHUB_REPO}/releases/latest --jq '.tag_name')"
-          if [[ -n $latest_release_tag ]]; then
-              echo "::debug::Tag for latest release is - $latest_release_tag"
-              echo "TAG=$latest_release_tag" >> "$GITHUB_OUTPUT"
-          else
-              echo "::error::Failed to get tag for latest release($latest_release_tag)"
-              exit 1
-          fi
-        env:
-          GITHUB_REPO: ${{ github.repository }}
-          GITHUB_TOKEN: ${{ steps.bot-token.outputs.token }}
-
-      - name: Bump Patch version
-        id: bump-patch-version
-        run: |
-          new_tag="$(./scripts/bump-patch-version "${VERSION}")"
-          echo "NEW_TAG=$new_tag" >> "$GITHUB_OUTPUT"
-        env:
-          VERSION: ${{ steps.get-latest-tag.outputs.TAG }}
-
-      - name: Create New Tag
-        run: |
-          git tag -m "Fix ${CVE_LIST:-security-vulnerabilities}" "${NEW_TAG}"
-          git tag --list
-        env:
-          NEW_TAG: ${{ steps.bump-patch-version.outputs.NEW_TAG }}
-          CVE_LIST: ${{ inputs.cve-list }}
-
-      - name: Push New Tag
-        if: github.ref == 'refs/heads/master'
-        run: |
-          git push origin "${NEW_TAG}"
-        env:
-          NEW_TAG: ${{ steps.bump-patch-version.outputs.NEW_TAG }}
diff --git a/Taskfile.yml b/Taskfile.yml
index 46b9eba..87eb4cb 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -305,3 +305,53 @@ tasks:
       # <IMAGE>:latest or unstable
       - for: { var: IMAGE_REPOS, split: ',', as: IMAGE_REPO }
         cmd: crane index append --tag {{.IMAGE_REPO}}:{{.V_UNSTABLE_OR_LATEST}}{{.V_DIRTY_SUFFIX}} -m {{.IMAGE_REPO}}@{{.IMAGE_AMD64_DIGEST}} -m {{.IMAGE_REPO}}@{{.IMAGE_ARM64_DIGEST}}
+  # -----------------------------------------------------------------
+  # Cleanup generated data, cache and build artifacts
+  # -----------------------------------------------------------------
+  clean:
+    desc: "Clean cache, build artifacts etc."
+    aliases:
+      - "go:clean"
+    cmds:
+      - task: internal:rm-file-glob
+        vars:
+          DIRECTORY: '{{ joinPath .ROOT_DIR "dist" }}'
+          PATTERN: "{{.ITEM}}"
+        for:
+          - "*.json"
+          - "*.yml"
+          - "*.yaml"
+      - task: internal:rm-file-glob
+        vars:
+          DIRECTORY: '{{ joinPath .ROOT_DIR "build" }}'
+          PATTERN: "{{.ITEM}}"
+        for:
+          - "*.tar"
+          - "*.tar.gz"
+          - "*.sbom"
+          - "*.sbom.att"
+          - "*.sbom.att.json"
+          - "*.sbom.spdx"
+          - "*.sbom.spdx.json"
+          - "*.sbom.spdx.json"
+          - "*.sbom.cyclonedx.xml"
+          - "*.sbom.cyclonedx.json"
+          - "*.sigstore.pem"
+          - "*.sigstore.sig"
+          - "*.sigstore.bundle"
+          - "*.intoto.json"
+          - "*.in-toto.json"
+          - "*.jsonl"
+      - task: internal:rm-file-glob
+        vars:
+          DIRECTORY: '{{ joinPath .ROOT_DIR ".task" "checksum" }}'
+          PATTERN: "*"
+      - task: internal:rmdir
+        vars:
+          DIRECTORY: "{{ .ITEM }}"
+        for:
+          - "{{ .GO_COVER_DIR }}"
+          - '{{ joinPath .ROOT_DIR "bin" }}'
+          - '{{ joinPath .ROOT_DIR ".task" "checksum" }}'
+          - '{{ joinPath .ROOT_DIR ".task" }}'
+          - '{{ joinPath .ROOT_DIR "dist" }}'
diff --git a/docs/faq.md b/docs/faq.md
index 94a3f47..d961e0c 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -174,10 +174,6 @@ guarantees. If your are _not_ using default metadata and ip check endpoints this
 - `protonwire-api.vercel.app`
 - `icanhazip.com`
 
-## Known Issues
-
-- Running multiple instances of this __outside of containers__ on _same host_ is not supported.
-
 ## Kubernetes
 
 Currently no egress gateway supports proxying both TCP and UDP
@@ -196,7 +192,8 @@ your pod are using the VPN. Do note that `.cluster` domains like `<service>.<nam
 Port forwarding is not supported directly, but the image includes tools required to setup via custom
 script(`socat` and `natpmpc` etc). It is being tracked via [#125](https://github.com/tprasadtp/protonvpn-docker/issues/125). It might be necessary to write your `service` loop which keeps port forwarding updated. Following commands can be used to setup VPN connection and check it regularly.
 
-- Connect to VPN server with kill-switch.
+- Connect to VPN server with kill-switch. Note that this does not use `--service` or `--container`
+flag, thus it **SHOULD NOT** be running in background as this command will return once connection is established.
 
     ```bash
     protonwire connect --ks
@@ -210,9 +207,13 @@ depends on protonwire running in the background.
     ```
 
 - Setup your port forwarding using `natpmpc` and write mapped port to a shared volume
-- In a loop verify the connection and keep refreshing port forwarding at regular intervals.
+- In a **loop** verify the connection and keep refreshing port forwarding at regular intervals.
 - To disconnect, run
 
     ```bash
     protonwire disconnect
     ```
+
+## Overriding Entrypoint/Command
+
+When using custom scripts as entrypoint or cmd, specify them in array form. i.e `["/bin/my-script", "args"]` instead of `/bin/my-script args`.
diff --git a/protonwire b/protonwire
index 4a46648..e5b00fc 100755
--- a/protonwire
+++ b/protonwire
@@ -2282,7 +2282,7 @@ function protonvpn_disconnect_cmd() {
 function __automatic_server_selection_error_msg() {
     log_error "Automatic server selection for (${PROTONVPN_SERVER}) is not supported due to upstream API changes."
     log_error "Specify a valid server DNS name like node-nl-01.protonvpn.net or server name like NL-1."
-    log_error "Please see https://github.com/tprasadtp/protonvpn-docker/blob/master/docs/faq.md for more info."
+    log_error "See - https://github.com/tprasadtp/protonvpn-docker/blob/master/docs/faq.md#overriding-entrypointcommand"
 }
 
 function server_lookup_cmd() {
@@ -2454,9 +2454,21 @@ function main() {
     declare -i log_lvl_q_lock=0
     declare -i cmd_lock=0
     local color_mode="auto"
-    local cmd_mode="HELP"
     local looper_flag="false"
     local healthcheck_service_status_file="false"
+    local cmd_mode=""
+
+    # cmd mode needs to be handled differently
+    # as user may invoke just the script without arguments expecting a help
+    # or with unknown/malformed arguments which needs to be handled gracefully.
+    # so, set cmd_mode to HELP only if no other arguments are specified.
+    # also keep a copy or arguments as it will be nuked via shift.
+    # See https://github.com/tprasadtp/protonvpn-docker/issues/312.
+    declare -a args_copy
+    args_copy=("$@")
+    if [[ $# -eq 0 ]]; then
+        cmd_mode="HELP"
+    fi
 
     if __is_bool_true "${DEBUG}"; then
         LOG_LVL="0"
@@ -2706,7 +2718,10 @@ function main() {
         exit $?
         ;;
     *)
-        log_error "Unknown PROTONVPN_EXE_MODE - $cmd_mode"
+        log_error "Unknown COMMAND - ${args_copy[*]} See usage below."
+        log_error "If overriding entrypoint/cmd specify it in array form."
+        log_error "See FAQ - https://github.com/tprasadtp/protonvpn-docker/blob/master/docs/faq.md for more info."
+        display_usage
         exit 10
         ;;
     esac