diff --git a/plugins/commando.c b/plugins/commando.c
index 2f39079a2..c748599c8 100644
--- a/plugins/commando.c
+++ b/plugins/commando.c
@@ -344,10 +344,11 @@ static const char *check_rune(const tal_t *ctx,
 	cinfo.params = params;
 	cinfo.usage = NULL;
 	strmap_init(&cinfo.cached_params);
-	err = rune_test(ctx, master_rune, rune, check_condition, &cinfo);
+	err = rune_test(tmpctx, master_rune, rune, check_condition, &cinfo);
 	/* Just in case they manage to make us speak non-JSON, escape! */
 	if (err)
-		err = json_escape(ctx, take(err))->s;
+		err = json_escape(ctx, err)->s;
+
 	strmap_clear(&cinfo.cached_params);
 
 	/* If it succeeded, *now* we increment any associated usage counter. */
diff --git a/tests/test_plugin.py b/tests/test_plugin.py
index a3f0264a5..caf939246 100644
--- a/tests/test_plugin.py
+++ b/tests/test_plugin.py
@@ -2559,6 +2559,14 @@ def test_commando(node_factory, executor):
         fut.result(10)
 
     rune = l1.rpc.commando_rune()['rune']
+
+    # Bad rune fails
+    with pytest.raises(RpcError, match="Not authorized: Not derived from master"):
+        l2.rpc.call(method='commando',
+                    payload={'peer_id': l1.info['id'],
+                             'rune': 'VXY4AAkrPyH2vzSvOHnI7PDVfS6O04bRQLUCIUFJD5Y9NjQmbWV0aG9kPWludm9pY2UmcmF0ZT0yMZ==',
+                             'method': 'listpeers'})
+
     # This works
     res = l2.rpc.call(method='commando',
                       payload={'peer_id': l1.info['id'],