Prompt Shield Publish
PassAudited by ClawScan on May 1, 2026.
Overview
This is a disclosed local prompt-injection scanner and Claude Code hook, with no evidenced exfiltration or credential use, but users should notice its ongoing input-blocking behavior and verify its dependency and security-assurance claims.
This skill appears coherent for local prompt-injection filtering. Before installing, verify the code path you add to Claude Code, install Python/PyYAML from trusted sources, understand that the hook can block future prompts, and treat the whitelist peer-review labels as a local workflow rather than a cryptographic identity guarantee.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After enabling the hook, legitimate prompts may be warned or blocked if the scanner scores them as risky.
This shows a user-directed persistent hook that runs on future Claude Code user-input submissions and can block processing; that behavior is disclosed and aligned with a firewall skill.
Add to `~/.claude/settings.json`: ... "UserInputSubmit": [ "/path/to/prompt-shield/prompt-shield-hook.sh" ] ... BLOCK: Prevents processing
Enable the hook only if you want ongoing input filtering, test it with normal prompts, and remove the hook from Claude settings if you no longer want it.
Installation may fail or pull a package version the user did not review if PyYAML is not already present.
The skill is purpose-aligned, but its dependency story is inconsistent: it advertises zero dependencies while also requiring Python and PyYAML, and the PyYAML install instruction is unpinned.
description: "... zero dependencies ..." ... requires: bins: - python3 ... **Dependencies:** PyYAML (`pip install pyyaml`)
Install dependencies from trusted sources, consider pinning PyYAML to a known-good version, and update registry metadata to declare the runtime requirements.
A user may over-trust whitelist entries or reviewer labels and assume stronger tamper resistance than the artifacts demonstrate.
The whitelist feature uses strong assurance language while the documented approval flow is a local CLI approval by reviewer name; users should treat it as local process control, not independent authentication by itself.
Hash-chain tamper-proof whitelisting ... Minimum 2 peer approvals required ... ./shield.py whitelist approve --seq 1 --by GUARDIAN
Protect the whitelist file, review proposed entries manually, and do not rely on reviewer labels as proof of independent approval unless your own workflow enforces that.