diff --git a/README.md b/README.md
index cd3bba4..8d3e455 100644
--- a/README.md
+++ b/README.md
@@ -259,10 +259,10 @@ On the host (root recommended to harvest as much data as possible):
 ```bash
 enroll harvest --out /tmp/enroll-harvest
 ```
-### Remote harvest over SSH (no enroll install required on the remote host, no need for --out)
+### Remote harvest over SSH (no enroll install required on the remote host)
 
 ```bash
-enroll harvest --remote-host myhost.example.com --remote-user myuser
+enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest
 ```
 
 ### `--dangerous` (captures potentially sensitive files — read the warning above)
@@ -274,7 +274,7 @@ enroll harvest --out /tmp/enroll-harvest --dangerous
 Remote + dangerous:
 
 ```bash
-enroll harvest --remote-host myhost.example.com --remote-user myuser --dangerous
+enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest --dangerous
 ```
 
 ### `--sops` (encrypt bundles at rest)
diff --git a/enroll/manifest.py b/enroll/manifest.py
index afb8b88..09666d4 100644
--- a/enroll/manifest.py
+++ b/enroll/manifest.py
@@ -567,7 +567,7 @@ def _tar_dir_to_with_progress(
             cols = shutil.get_terminal_size((80, 20)).columns
             msg = msg[: cols - 1]
         except Exception:
-            pass # nosec
+            pass
         os.write(2, ("\r" + msg).encode("utf-8", errors="replace"))
 
     with tarfile.open(tar_path, mode="w:gz") as tf:
diff --git a/enroll/remote.py b/enroll/remote.py
index 7ad8dc4..df8d876 100644
--- a/enroll/remote.py
+++ b/enroll/remote.py
@@ -200,7 +200,7 @@ def remote_harvest(
 
             # Stream a tarball back to the local machine (avoid creating a tar file on the remote).
             cmd = f"tar -cz -C {rbundle} ."
-            _stdin, stdout, stderr = ssh.exec_command(cmd) # nosec
+            _stdin, stdout, stderr = ssh.exec_command(cmd)
             with open(local_tgz, "wb") as f:
                 while True:
                     chunk = stdout.read(1024 * 128)
diff --git a/enroll/sopsutil.py b/enroll/sopsutil.py
index 6c0c881..d43d351 100644
--- a/enroll/sopsutil.py
+++ b/enroll/sopsutil.py
@@ -2,7 +2,7 @@ from __future__ import annotations
 
 import os
 import shutil
-import subprocess # nosec
+import subprocess
 import tempfile
 from pathlib import Path
 from typing import Iterable, List, Optional
@@ -62,7 +62,7 @@ def encrypt_file_binary(
         ],
         capture_output=True,
         check=False,
-    ) # nosec
+    )
     if res.returncode != 0:
         raise SopsError(
             "sops encryption failed:\n"
@@ -112,7 +112,7 @@ def decrypt_file_binary_to(
         ],
         capture_output=True,
         check=False,
-    ) # nosec
+    )
     if res.returncode != 0:
         raise SopsError(
             "sops decryption failed:\n"