{"id":47662057,"url":"https://github.com/mbay7/claude-code-security","last_synced_at":"2026-04-02T11:33:19.858Z","repository":{"id":345422358,"uuid":"1185740692","full_name":"mbay7/claude-code-security","owner":"mbay7","description":"A 6-layer security framework for Claude Code workspaces: prompt injection detection, memory poisoning prevention, secrets scanning, behavioral audit logging, and pre-commit guardrails. Install in 5 minutes.","archived":false,"fork":false,"pushed_at":"2026-03-19T15:32:26.000Z","size":35,"stargazers_count":1,"open_issues_count":4,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-19T15:41:52.546Z","etag":null,"topics":["ai-security","claude-code","devtools","mcp","owasp","prompt-injection","security"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mbay7.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-18T22:36:41.000Z","updated_at":"2026-03-19T15:35:21.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mbay7/claude-code-security","commit_stats":null,"previous_names":["mbay7/claude-code-security"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/mbay7/claude-code-security","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbay7%2Fclaude-code-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbay7%2Fclaude-code-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbay7%2Fclaude-code-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbay7%2Fclaude-code-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mbay7","download_url":"https://codeload.github.com/mbay7/claude-code-security/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbay7%2Fclaude-code-security/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31305587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T09:48:21.550Z","status":"ssl_error","status_checked_at":"2026-04-02T09:48:19.196Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","claude-code","devtools","mcp","owasp","prompt-injection","security"],"created_at":"2026-04-02T11:33:19.275Z","updated_at":"2026-04-02T11:33:19.852Z","avatar_url":"https://github.com/mbay7.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# claude-code-security\n\n**Runtime security for Claude Code workspaces.** Blocks prompt injection, memory poisoning, secret exposure, and hook tampering — automatically, at every session.\n\n[![Mentioned in Awesome Claude Code](https://awesome.re/mentioned-badge.svg)](https://github.com/hesreallyhim/awesome-claude-code)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n[![Release](https://img.shields.io/github/v/release/mbay7/claude-code-security)](https://github.com/mbay7/claude-code-security/releases)\n[![Audit](https://github.com/mbay7/claude-code-security/actions/workflows/audit.yml/badge.svg)](https://github.com/mbay7/claude-code-security/actions/workflows/audit.yml)\n[![pytest](https://img.shields.io/badge/evals-68%20passed-brightgreen)](evals/)\n[![Issues](https://img.shields.io/github/issues/mbay7/claude-code-security)](https://github.com/mbay7/claude-code-security/issues)\n\n---\n\n## Install\n\n```bash\ngit clone https://github.com/mbay7/claude-code-security.git \u0026\u0026 cd claude-code-security \u0026\u0026 ./install.sh\n```\n\nReload Claude Code. Done.\n\n\u003e **Why git clone instead of `curl | bash`?** You're installing a security tool. Cloning first lets you read the code before it runs on your machine — that's the right default.\n\n**Requirements:** `python3`, `jq` (auto-installed via brew if missing)\n\n---\n\n## What It Catches\n\n```\n$ echo '{}' | python3 ~/.claude/hooks/memory-drift-check.py\n\n🚨 Context Poisoning Detected in Memory Files:\n  • INJECTION in project_notes.md:14 — \"ignore previous instructions and\"\n  • INJECTION in feedback_auth.md:3 — \"you are now a\"\n\nRun /security-scanner on any suspicious file.\n```\n\n```\n$ python3 ~/.claude/hooks/security-scan.py \u003c read_event.json\n\nSECURITY SCAN — external-readme.md\nFound 2 issue(s): 1 CRITICAL, 1 HIGH\n\n  [CRITICAL] Secret Exposure at line 4: Anthropic API key: sk-ant-ap...KEY\n  [HIGH]     Prompt Injection at line 12: \"ignore all previous instruct...\"\n\nACTION REQUIRED: Run /security-scanner on this file before proceeding.\n```\n\n```\n$ python3 ~/.claude/hooks/mcp-verifier.py --status\n\nConfigured MCP servers (3):\n\n  github\n    command: npx -y @modelcontextprotocol/server-github\n    env vars: GITHUB_PERSONAL_ACCESS_TOKEN\n  context7\n    command: npx -y @upstash/context7-mcp\n  unknown-server\n    command: node /tmp/malicious-server.js\n```\n\n```\n$ ~/.claude/hooks/hook-integrity.sh\n\nVerifying hook integrity...\n✓ memory-drift-check.py — OK\n✓ mcp-verifier.py — OK\n✓ security-scan.py — OK\n✓ tool-audit.py — OK\n✓ memory-write-guard.py — OK\n\nAll hooks verified — integrity confirmed (5 files)\n```\n\n---\n\n## What Gets Installed\n\n```\n~/.claude/\n├── hooks/\n│   ├── memory-drift-check.py    # SessionStart: memory poisoning scan\n│   ├── mcp-verifier.py          # SessionStart: MCP server integrity audit\n│   ├── security-scan.py         # PreToolUse: injection + secrets scanner\n│   ├── tool-audit.py            # PostToolUse: behavioral audit log\n│   ├── memory-write-guard.py    # PostToolUse: write-time injection guard\n│   ├── hook-integrity.sh        # On-demand SHA256 integrity check\n│   ├── .integrity.sha256        # Hook manifest (generated on install)\n│   └── .mcp-manifest.json       # MCP server manifest (generated on --init)\n└── skills/\n    └── security-scanner.md      # /security-scanner — auto-invoked on findings\n```\n\nPlus:\n- `~/.gitignore_global` — machine-wide `.env` protection across all repos\n- `.pre-commit-config.yaml` template — copy to each project, run `pre-commit install`\n\n---\n\n## 6 Layers\n\n| Layer | Hook | Threat | OWASP |\n|-------|------|--------|-------|\n| Memory integrity scan | `memory-drift-check.py` | MINJA-class memory poisoning (NeurIPS 2025) | LLM04:2025, ASI06 |\n| Memory write guard | `memory-write-guard.py` | Injection at write time — closes write vector | LLM04:2025 |\n| MCP server integrity | `mcp-verifier.py` | Unauthorized MCP servers, RCE via server config, hardcoded secrets in env | LLM08:2025 |\n| Pre-read file scanner | `security-scan.py` | Injection in external files, hardcoded secrets | LLM01:2025, LLM02:2025 |\n| .env write blocker | settings.json (inline) | Claude modifying secrets files | LLM06:2025 |\n| Behavioral audit log | `tool-audit.py` | Reverse shells, exfiltration, suspicious Bash | LLM05:2025 |\n| Git secrets protection | gitleaks + .gitignore | Secrets reaching git history | LLM02:2025 |\n\n---\n\n## What It Detects\n\n**Injection patterns (19):** ignore previous instructions · DAN mode · zero-width Unicode steganography · `[SYSTEM]:` tags · `\u003c\u003cSYS\u003e\u003e` blocks · role override attempts · when-Claude-reads-this payloads · HTML comment injections\n\n**Secret patterns (8):** Anthropic API keys · OpenAI keys · AWS credentials · GitHub PATs · Stripe live keys · private key blocks · Supabase JWTs\n\n**Malicious code patterns (5):** reverse shells (`nc -e /bin/bash`) · crypto miners (`xmrig`, `stratum+tcp`) · `base64 | bash` pipes · sensitive file reads (`~/.ssh`, `/etc/passwd`)\n\n---\n\n## Evals\n\nDetection claims are backed by 68 automated tests across all threat categories.\n\n```bash\npip install pytest\npython -m pytest evals/ -v\n```\n\n| Category | Tests | Coverage |\n|---|---|---|\n| Prompt injection | 20 | Direct overrides, role hijacks, structural tags, Unicode steganography |\n| Secret exposure | 17 | All 8 key types, crypto material, placeholder false-positive validation |\n| Memory poisoning | 13 | Write guard injection, clean-write false positives, edge cases |\n| Behavioral anomalies | 18 | Reverse shells, miners, exfil patterns, tool-audit clean/anomaly split |\n\nCI runs evals on every push and PR via [GitHub Actions](.github/workflows/audit.yml).\n\n---\n\n## Why Not Just Trust Claude Code's Built-in Protections?\n\nAnthropic's foundation is solid: permission gates, command blocklists, sandboxing (2026), and prompt injection classifiers. Three structural gaps remain:\n\n1. **Indirect prompt injection is architectural.** The LLM processes system instructions and data in a unified token stream — it cannot cryptographically distinguish a legitimate instruction from an injected one in a file it reads. Sandboxing reduces blast radius but doesn't stop injection.\n\n2. **Memory poisoning isn't in Anthropic's threat model yet.** `memory-drift-check.py` + `memory-write-guard.py` are the only open-source tools scanning Claude memory files for MINJA-class attacks.\n\n3. **Approval fatigue is real.** Research confirms developers approve Claude Code operations in bulk without reading them. Automated hooks don't rely on human attention.\n\nAnthropic, Microsoft, and Google all publish a Shared Responsibility Model — the vendor secures the model and infrastructure, the operator (you) secures the runtime. This framework covers your side.\n\n---\n\n## Threat Coverage\n\n| CVE / Threat | Coverage |\n|---|---|\n| CVE-2025-59536 (CVSS 8.7 — RCE via hooks) | `hook-integrity.sh` SHA256 manifest |\n| CVE-2025-6514 (CVSS 9.6 — mcp-remote RCE) | `mcp-verifier.py` + `security-scan.py` |\n| MINJA memory poisoning (NeurIPS 2025) | `memory-drift-check.py` + `memory-write-guard.py` |\n| OWASP LLM Top 10:2025 | LLM01–LLM08 |\n\n---\n\n## Compared to Alternatives\n\n| Tool | Injection | Memory Poisoning | MCP Integrity | Secrets | Hook Integrity | Write Guard |\n|---|---|---|---|---|---|---|\n| **claude-code-security** | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |\n| lasso-security/claude-hooks | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |\n| mintmcp/agent-security | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ |\n| mafiaguy/claude-security-guardrails | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |\n\n---\n\n## Contributing\n\nNew detection patterns are the most valuable contribution. Each pattern must include a source (CVE number, OWASP ID, or research paper link).\n\n1. **Injection patterns** → `INJECTION_PATTERNS` in `hooks/security-scan.py`\n2. **Secret patterns** → `SECRET_PATTERNS` with format `(label, regex, severity)`\n3. **Gitleaks rules** → `config/.gitleaks.toml`\n4. **Bug reports** → [open an issue](https://github.com/mbay7/claude-code-security/issues)\n\nSee [CONTRIBUTING.md](docs/customization.md) for full details.\n\n---\n\n## License\n\nMIT — use it, fork it, adapt it for your stack.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmbay7%2Fclaude-code-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmbay7%2Fclaude-code-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmbay7%2Fclaude-code-security/lists"}