by efij
Security guardrails for Claude Code, MCP tools, and Claude cowork workflows. Local-first modular YARA-style guard packs for secrets, exfiltration, prompt injection, MCP abuse, and risky agent actions.
# Add to your Claude Code skills
git clone https://github.com/efij/secure-claude-codeGuides for using ai agents skills like secure-claude-code.
Last scanned: 5/30/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-30T17:04:45.192Z",
"npmAuditRan": true,
"pipAuditRan": true
}secure-claude-code is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by efij. Security guardrails for Claude Code, MCP tools, and Claude cowork workflows. Local-first modular YARA-style guard packs for secrets, exfiltration, prompt injection, MCP abuse, and risky agent actions. It has 100 GitHub stars.
Yes. secure-claude-code passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/efij/secure-claude-code" and add it to your Claude Code skills directory (see the Installation section above).
secure-claude-code is primarily written in Python. It is open-source under efij on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh secure-claude-code against similar tools.
No comments yet. Be the first to share your thoughts!
Runtime security for Claude Code, Codex, and MCP-native coding clients. Protect shell, git, MCP, secrets, plugins, skills, and risky agent actions before they turn into damage.
Runwall adds a practical security layer around coding-agent runtimes to reduce prompt injection fallout, secret leakage, unsafe command execution, dangerous git operations, and risky MCP, plugin, or skill configurations.
It now does both:
It is built for solo builders, startups, security-minded teams, and larger orgs that want safer defaults around AI coding workflows.
Coding agents are useful because they can read files, run shell commands, use git, connect to MCP tools, and increasingly work across more than one runtime.
That is also exactly why they need guardrails.
Runwall helps reduce real-world risk around:
It is practical, transparent, and built for real developer environments.
Runwall now supports four integration styles:
Runwall helps you:
kubectl exec, and direct production data dumpsIt works well on top of Claude Code sandbox mode too. Sandboxing helps contain damage. Runwall adds guard logic on top of that containment layer.
Runwall now treats executed CLIs as a second trust plane beside MCP.
That matters because a lot of modern agent power flows through local tools, generated CLIs, wrapper scripts, and PATH-injected helpers that never show up as MCP servers.
The built-in tool trust layer fingerprints executed tools, stores local trust state in Runwall state files, typically ~/.runwall/state/tools.json when installed, and intervenes on a few high-confidence cases:
git, gh, kubectl, terraform, claude, or codexPATHnpx, pnpm dlx, yarn dlx, uvx, pipx run, and bunx when they point at mutable or remote sourcesYou can inspect and manage that local trust state with:
./bin/runwall tools list
./bin/runwall tools list --json
./bin/runwall tools approve <name-or-path>
./bin/runwall tools forget <name-or-path>
Runwall now treats piggyback hooks as a third trust plane beside MCP and raw tool execution.
That matters because a lot of quiet hijack paths do not look like “new malware.” They look like small edits to normal workflow triggers:
preinstall and prepareThe built-in hook trust layer keeps a local registry in Runwall state files, typically ~/.runwall/state/hooks.json when installed, and intervenes on a few high-confidence cases:
kubectl exec, prod database shells or dumps, and destructive infra commands--no-verify, hook-disabling flags, or review-bypass languagebash -c, python -c, node -e, or encoded PowerShellYou can inspect and manage that local trust state with:
./bin/runwall hooks list
./bin/runwall hooks list --json
./bin/runwall hooks diff <path-or-key>
./bin/runwall hooks approve <path-or-key>
./bin/runwall hooks forget <path-or-key>
Runwall now adds four more native trust planes on top of tools and hooks:
Sensitive Data Flow: tracks when a session touches secrets or production data, then blocks exports, clipboard bridges, archive prep, public-artifact writes, browser-session uploads, and cross-agent laundering later in the same sessionLocal Service Trust: treats local sockets, localhost admin APIs, browser debug ports, Docker APIs, DBus, metadata endpoints, local databases, and kube control-plane targets as trust targets instead of invisible localhost trafficBrowser Session Defense: prompts or blocks browser automation against sensitive logged-in domains, especially when the flow exports cookies, screenshots, DOM dumps, bulk captures, or executable downloadsAgent Graph & Isolation: re