diff --git a/.github/workflows/flatpak.yml b/.github/workflows/flatpak.yml
index 80d807d31..838242d1a 100644
--- a/.github/workflows/flatpak.yml
+++ b/.github/workflows/flatpak.yml
@@ -90,6 +90,27 @@ jobs:
         run: |
           flatpak-builder --force-clean --repo=flatpak-repo build-dir flatpak/org.dash.DashEvoTool.yml
 
+
+      - name: Verify Flatpak binary dependencies
+        run: |
+          BINARY="build-dir/files/bin/dash-evo-tool"
+          if [ ! -f "$BINARY" ]; then
+            echo "::error::Binary not found at $BINARY"
+            exit 1
+          fi
+          echo "Checking shared library dependencies inside Flatpak sandbox..."
+          # Run ldd inside the Flatpak build environment so libraries resolve
+          # against the Flatpak runtime (/usr) and app (/app), not the host.
+          DEPS=$(flatpak build build-dir ldd /app/bin/dash-evo-tool 2>&1 || true)
+          echo "$DEPS"
+          # Fail on missing libraries (not found = will crash at runtime)
+          if echo "$DEPS" | grep -q "not found"; then
+            echo "::error::Binary has missing shared library dependencies"
+            echo "$DEPS" | grep "not found"
+            exit 1
+          fi
+          echo "✅ Flatpak binary dependencies look clean"
+
       - name: Create Flatpak bundle
         run: |
           flatpak build-bundle flatpak-repo dash-evo-tool-linux-${{ matrix.arch }}.flatpak org.dash.DashEvoTool
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9f1d931e5..d34622451 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -121,6 +121,26 @@ jobs:
           done
           echo "✅ Binary is self-contained — no MinGW runtime or null DLL dependencies"
 
+      - name: Verify Linux binary dependencies
+        if: ${{ contains(matrix.target, 'linux') }}
+        run: |
+          echo "Checking shared library dependencies..."
+          DEPS=$(ldd dash-evo-tool/dash-evo-tool)
+          echo "$DEPS"
+          # Allowlist: only standard system libraries should appear
+          UNEXPECTED=$(echo "$DEPS" | grep "=>" | grep -v "not found" | awk '{print $1}' | grep -Ev "^(linux-vdso|libm|libc|libdl|librt|libpthread|libgcc_s|libstdc\+\+|ld-linux|libz|libssl|libcrypto)\.so" || true)
+          if [ -n "$UNEXPECTED" ]; then
+            echo "::warning::Unexpected shared dependencies found:"
+            echo "$UNEXPECTED"
+          fi
+          # Fail on missing libraries
+          if echo "$DEPS" | grep -q "not found"; then
+            echo "::error::Binary has missing shared library dependencies"
+            echo "$DEPS" | grep "not found"
+            exit 1
+          fi
+          echo "✅ Linux binary dependencies look clean"
+
       - name: Package release
         run: |
           zip -r dash-evo-tool-${{ matrix.platform }}.zip dash-evo-tool/
@@ -252,6 +272,27 @@ jobs:
           </plist>
           EOF
 
+
+      - name: Verify macOS binary dependencies
+        run: |
+          echo "Checking dynamic library dependencies..."
+          DEPS=$(otool -L build/dash-evo-tool)
+          echo "$DEPS"
+          # Only system libraries (/usr/lib/) and frameworks (/System/Library/) are allowed
+          UNEXPECTED=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep -Ev "^(/usr/lib/|/System/Library/|@rpath/)" || true)
+          if [ -n "$UNEXPECTED" ]; then
+            echo "::error::Binary links non-system libraries:"
+            echo "$UNEXPECTED"
+            exit 1
+          fi
+          # Warn on @rpath dependencies (acceptable for frameworks but worth noting)
+          RPATH=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep "^@rpath/" || true)
+          if [ -n "$RPATH" ]; then
+            echo "::warning::Binary has @rpath dependencies (verify these are bundled):"
+            echo "$RPATH"
+          fi
+          echo "✅ macOS binary dependencies look clean"
+
       - name: Import signing certificates
         uses: Apple-Actions/import-codesign-certs@v3
         with:
@@ -520,6 +561,27 @@ jobs:
           </plist>
           EOF
 
+
+      - name: Verify macOS binary dependencies
+        run: |
+          echo "Checking dynamic library dependencies..."
+          DEPS=$(otool -L build/dash-evo-tool)
+          echo "$DEPS"
+          # Only system libraries (/usr/lib/) and frameworks (/System/Library/) are allowed
+          UNEXPECTED=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep -Ev "^(/usr/lib/|/System/Library/|@rpath/)" || true)
+          if [ -n "$UNEXPECTED" ]; then
+            echo "::error::Binary links non-system libraries:"
+            echo "$UNEXPECTED"
+            exit 1
+          fi
+          # Warn on @rpath dependencies (acceptable for frameworks but worth noting)
+          RPATH=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep "^@rpath/" || true)
+          if [ -n "$RPATH" ]; then
+            echo "::warning::Binary has @rpath dependencies (verify these are bundled):"
+            echo "$RPATH"
+          fi
+          echo "✅ macOS binary dependencies look clean"
+
       - name: Import signing certificates
         uses: Apple-Actions/import-codesign-certs@v3
         with: