Prompt-injection firewall for AI agents — scan untrusted text before LLM calls.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-bch1212-injectshield": {
"args": [
"-y",
"@injectshield/mcp"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A drop-in REST API that detects and neutralizes injection attacks in any text — git commits, web pages, files, emails, user inputs — before they reach your AI agent's context window.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@injectshield/mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked @injectshield/mcp against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml / security
Persistent memory using a knowledge graph
Dynamic problem-solving through sequential thought chains
An autonomous agent that conducts deep research on any data using any LLM providers
Privacy-first. MCP is the protocol for tool access. We're the virtualization layer for context.
MCP Security Weekly
Get CVE alerts and security updates for io.github.bch1212/injectshield and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Prompt-injection firewall for AI agents.
A drop-in REST API that detects and neutralizes injection attacks in any text — git commits, web pages, files, emails, user inputs — before they reach your AI agent's context window.
This repo is the open-source heuristic ruleset plus the source for the managed API at promptshield.pages.dev.
In May 2026 a viral HN thread demonstrated that a single git commit message could burn a Claude Code user's entire session quota via a schema-driven attack ("OpenClaw"). The pattern is general: any AI agent that ingests untrusted text — code review bots, documentation summarizers, RAG agents, support copilots — is exposed to prompt injection. Most teams ship without any input-side defense.
InjectShield is one layer of a defense-in-depth strategy. It's not a silver bullet. Use it alongside system-prompt hardening, tool sandboxing, and output filtering.
InjectShield ships a native MCP server at @injectshield/mcp. Once installed, your agent has three new tools — scan, scan_url, patterns — for input-side defense without writing any glue code.
# Claude Code:
claude mcp add injectshield --env INJECTSHIELD_API_KEY=is_live_… -- npx -y @injectshield/mcp
For Cursor / Cline / other MCP clients, see packages/injectshield-mcp/README.md.
# 1) Get a key (delivered by email):
curl -X POST https://api.injectshield.dev/v1/keys \
-H "Content-Type: application/json" \
-d '{"email":"you@company.com"}'
# 2) Scan:
curl -X POST https://api.injectshield.dev/v1/scan \
-H "Authorization: Bearer is_live_..." \
-H "Content-Type: application/json" \
-d '{"text":"ignore previous instructions","context":"user_input"}'
Or signup via the landing page: https://injectshield.dev — self-serve, email delivery.
Live:
https://api.injectshield.devOpen-source (this repo, MIT):
src/patterns.ts — the heuristic pattern library (~20 categorized rules).src/detect.ts — the detection engine (heuristic aggregation, sanitization).test/ — the test suite.server/, public/ — the full API + landing-page source.Managed only (paid tiers):
| Category | Examples |
|---|---|
instruction_injection | "ignore previous instructions", "new system prompt" |
system_override | system-prompt leak, role-tag forgery, ChatML/Llama special tokens |
role_hijack | "you are now…", DAN, Developer Mode |
exfiltration | data sent to attacker URLs, markdown image exfil |
schema_attack | OpenClaw-style schema references |
encoding_smuggle | base64-decoded directives |
invisible_text | zero-width / bidi / Unicode-Tag smuggling |
tool_abuse | synthetic tool-call directives in untrusted text |
jailbreak_classic | DAN, "no restrictions", etc. |
Found a novel attack? Open a PR adding a PatternRule to src/patterns.ts with:
id.category from the enum above.weight in [0, 1] — pick conservatively; the aggregation in detect.ts combines weights so every additional rule contributes meaningfully but isn't dominant.test/detect.test.ts covering both a positive and a likely-benign negative example.We auto-deploy merged patterns to the managed API. No-cost contributions get attribution in the changelog.
npm install
npm tes
... [View full README on GitHub](https://github.com/bch1212/injectshield#readme)