ClawHub

Prompt Shield Publish

v3.0.6

Prompt Injection Firewall for AI agents. 113 detection patterns, 14 threat categories, zero dependencies. Protects against fake authority, command injection, memory poisoning, skill malware, crypto spam, and more. Hash-chain tamper-proof whitelist with mandatory peer review. Claude Code hook integration.

0· 1.1k·2 current·2 all-time
by@stlas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The files (shield.py, patterns.yaml, whitelist.yaml, hook) implement a local prompt-scanner/whitelist as described. However the top-level description claims "zero dependencies" while SKILL.md and shield.py require Python3 + PyYAML. SKILL.md references a GitHub repo (https://github.com/stlas/PromptShield) but the skill source is marked 'unknown' in registry metadata — this mismatch reduces provenance/trust. Overall the required artifacts (pattern DB, CLI, Claude hook) are coherent with the stated purpose, but the provenance and dependency claim are inconsistent.
Instruction Scope
Runtime instructions and the provided hook are narrowly scoped: they read input (stdin/JSON) and run local pattern scans, then exit with codes/messages to let Claude accept/warn/block. The skill does not request or read arbitrary system environment variables. It does read and write local files (whitelist.yaml, whitelist-audit.log) in its directory. SKILL.md promotes integrating the hook into ~/.claude/settings.json (requires user edit). Documentation mentions external mechanisms (e.g., SYNAPSE peer approval) and 'peer review' processes that are not implemented or cryptographically enforced in the supplied code — the approval model is just string entries in the YAML, not authenticated peers. That inconsistency could give a false sense of protection.
Install Mechanism
There is no install spec (instruction-only) but implementation files are included. This means installing is a manual file placement and running shield.py locally. There are no network downloads or packaged installers in the manifest, which lowers supply-chain risk, but the code requires PyYAML (pip). The absence of an automated install step is coherent but the skill's description saying 'zero dependencies' contradicts the actual dependency on PyYAML.
Credentials
The skill asks for no environment variables, no credentials, and no config paths outside its own directory. It writes its own whitelist and audit log files locally. That level of access is proportionate for a local prompt-scanner.
Persistence & Privilege
always:false (default) and disable-model-invocation:false are set — normal for skills. The skill does not request system-wide privileges or modify other skills. It does create/modify whitelist.yaml and whitelist-audit.log in its own directory if used; enabling the hook requires editing the user's Claude settings.json (a manual step by the user).
What to consider before installing
This package appears to implement a local prompt-scanner and hook for Claude, but exercise caution before enabling it: - Provenance: the registry lists the source as 'unknown' even though SKILL.md references a GitHub repo. Verify the upstream project and author (download from a trusted repo or vendor) before installing. - Dependencies: despite the claim of "zero dependencies," shield.py requires Python3 and PyYAML. Install those from trusted package sources and inspect installed packages. - Whitelist / peer review: the hash-chain whitelist exists, but the "peer review" protections are enforced only via names in the YAML (strings). There is no cryptographic identity or external approval service in the shipped code, so a local attacker or misconfigured workflow could add approvals or edit the file. Do not enable the whitelist or give it trust until you understand the approval workflow. - File writes: the tool writes whitelist.yaml and whitelist-audit.log in its directory. Consider file permissions, location (use an isolated path), and backups before enabling. - Hook integration: adding the hook requires editing ~/.claude/settings.json; verify what your Claude client does with hook exit codes. Test the scanner locally first (dry-run on benign data) to evaluate false positives and behaviour. - Review for network behavior: the included files show no explicit network calls, but you should search the full shield.py (especially truncated parts) for any HTTP/exec calls before trusting it in production. If you want to proceed: run the code in an isolated environment, inspect the full shield.py for external calls, install PyYAML from a trusted source, and only enable the Claude hook after confirming behaviour and whitelist governance. If you want me to, I can re-scan the remaining truncated parts of shield.py for network or obfuscated behavior (upload the full file text).

Like a lobster shell, security has layers — review code before you run it.

agent-safetyvk97dt38y36evvecn75a0n0yck180x3fnfirewallvk97dt38y36evvecn75a0n0yck180x3fnlatestvk97dt38y36evvecn75a0n0yck180x3fnprompt-injectionvk97dt38y36evvecn75a0n0yck180x3fnsecurityvk97dt38y36evvecn75a0n0yck180x3fn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis

Comments