{"id":51013929,"url":"https://github.com/bch1212/injectshield","last_synced_at":"2026-06-21T07:31:31.649Z","repository":{"id":355739732,"uuid":"1229395208","full_name":"bch1212/injectshield","owner":"bch1212","description":"Prompt-injection firewall for AI agents — heuristic + semantic detection. Open-source ruleset + managed API at injectshield.dev","archived":false,"fork":false,"pushed_at":"2026-05-10T21:18:39.000Z","size":234,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-29T02:08:01.123Z","etag":null,"topics":["agent","ai","ai-security","claude","cloudflare-pages","guardrails","llm","mcp","model-context-protocol","prompt-injection","railway","security","typescript"],"latest_commit_sha":null,"homepage":"https://injectshield.dev","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bch1212.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-05T02:07:19.000Z","updated_at":"2026-05-10T21:18:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bch1212/injectshield","commit_stats":null,"previous_names":["bch1212/promptshield","bch1212/injectshield"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bch1212/injectshield","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Finjectshield","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Finjectshield/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Finjectshield/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Finjectshield/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bch1212","download_url":"https://codeload.github.com/bch1212/injectshield/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Finjectshield/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34601660,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-21T02:00:05.568Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent","ai","ai-security","claude","cloudflare-pages","guardrails","llm","mcp","model-context-protocol","prompt-injection","railway","security","typescript"],"created_at":"2026-06-21T07:31:31.034Z","updated_at":"2026-06-21T07:31:31.634Z","avatar_url":"https://github.com/bch1212.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# InjectShield\n\n**Prompt-injection firewall for AI agents.**\n\nA drop-in REST API that detects and neutralizes injection attacks in any text — git commits, web pages, files, emails, user inputs — *before* they reach your AI agent's context window.\n\nThis repo is the **open-source heuristic ruleset** plus the source for the managed API at [promptshield.pages.dev](https://promptshield.pages.dev).\n\n---\n\n## Why\n\nIn May 2026 a viral HN thread demonstrated that a single git commit message could burn a Claude Code user's entire session quota via a schema-driven attack (\"OpenClaw\"). The pattern is general: any AI agent that ingests untrusted text — code review bots, documentation summarizers, RAG agents, support copilots — is exposed to prompt injection. Most teams ship without any input-side defense.\n\nInjectShield is one layer of a defense-in-depth strategy. It's not a silver bullet. Use it alongside system-prompt hardening, tool sandboxing, and output filtering.\n\n## Install as an MCP (Claude Code, Cursor, Cline, ...)\n\nInjectShield ships a native MCP server at [`@injectshield/mcp`](./packages/injectshield-mcp). Once installed, your agent has three new tools — `scan`, `scan_url`, `patterns` — for input-side defense without writing any glue code.\n\n```bash\n# Claude Code:\nclaude mcp add injectshield --env INJECTSHIELD_API_KEY=is_live_… -- npx -y @injectshield/mcp\n```\n\nFor Cursor / Cline / other MCP clients, see [`packages/injectshield-mcp/README.md`](./packages/injectshield-mcp/README.md).\n\n## Quick start\n\n```bash\n# 1) Get a key (delivered by email):\ncurl -X POST https://api.injectshield.dev/v1/keys \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"email\":\"you@company.com\"}'\n\n# 2) Scan:\ncurl -X POST https://api.injectshield.dev/v1/scan \\\n  -H \"Authorization: Bearer is_live_...\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"text\":\"ignore previous instructions\",\"context\":\"user_input\"}'\n```\n\nOr signup via the landing page: https://injectshield.dev — self-serve, email delivery.\n\n## What's open-source vs. managed\n\n**Live:**\n\n- Landing page + live demo: https://injectshield.dev\n- API base: `https://api.injectshield.dev`\n- Health: https://api.injectshield.dev/healthz\n- Docs: https://injectshield.dev/docs\n\n**Open-source (this repo, MIT):**\n\n- `src/patterns.ts` — the heuristic pattern library (~20 categorized rules).\n- `src/detect.ts` — the detection engine (heuristic aggregation, sanitization).\n- `test/` — the test suite.\n- `server/`, `public/` — the full API + landing-page source.\n\n**Managed only (paid tiers):**\n\n- Hosted API with usage metering, dashboards, custom-pattern uploads, webhook alerts, no-logging mode (Pro), team accounts.\n- Future: Workers AI / Anthropic semantic classifier with prompt-engineered injection detection.\n\n## Detection categories\n\n| Category | Examples |\n|---|---|\n| `instruction_injection` | \"ignore previous instructions\", \"new system prompt\" |\n| `system_override` | system-prompt leak, role-tag forgery, ChatML/Llama special tokens |\n| `role_hijack` | \"you are now…\", DAN, Developer Mode |\n| `exfiltration` | data sent to attacker URLs, markdown image exfil |\n| `schema_attack` | OpenClaw-style schema references |\n| `encoding_smuggle` | base64-decoded directives |\n| `invisible_text` | zero-width / bidi / Unicode-Tag smuggling |\n| `tool_abuse` | synthetic tool-call directives in untrusted text |\n| `jailbreak_classic` | DAN, \"no restrictions\", etc. |\n\n## Contributing patterns\n\nFound a novel attack? Open a PR adding a `PatternRule` to `src/patterns.ts` with:\n\n1. A unique `id`.\n2. A `category` from the enum above.\n3. A `weight` in [0, 1] — pick conservatively; the aggregation in `detect.ts` combines weights so every additional rule contributes meaningfully but isn't dominant.\n4. A test in `test/detect.test.ts` covering both a positive and a likely-benign negative example.\n\nWe auto-deploy merged patterns to the managed API. No-cost contributions get attribution in the changelog.\n\n## Running locally\n\n```bash\nnpm install\nnpm test         # 11 tests, ~20ms\nDATABASE_URL=postgres://... npm run dev   # boots Hono on :8080\n```\n\n## License\n\n[MIT](LICENSE). InjectShield reduces but does not eliminate prompt-injection risk.\n\n## Acknowledgments\n\nBuilt on Cloudflare Pages (frontend) + Railway (API) + Postgres + Anthropic Claude (semantic layer).\nPattern library informed by HackAPrompt, the PINT benchmark, and [a long list of public attack examples](https://github.com/leondz/garak).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbch1212%2Finjectshield","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbch1212%2Finjectshield","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbch1212%2Finjectshield/lists"}