Summary
InjectShield scans untrusted text for prompt injection patterns before it reaches your LLM's context window. The MCP server exposes three tools: scan for raw text, scan_url for remote content, and patterns to inspect the current ruleset. It runs heuristic detection across nine categories including instruction injection, role hijack, exfiltration attempts, and encoding smuggling, then returns risk scores and sanitized output. You'd reach for this when your agent ingests git commits, documentation, user inputs, or any external content you don't control. The detection patterns are open source MIT, while the hosted API at api.injectshield.dev adds metering, custom patterns, and semantic classification via Workers AI.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
InjectShield
Prompt-injection firewall for AI agents.
A drop-in REST API that detects and neutralizes injection attacks in any text — git commits, web pages, files, emails, user inputs — before they reach your AI agent's context window.
This repo is the open-source heuristic ruleset plus the source for the managed API at promptshield.pages.dev.
Why
In May 2026 a viral HN thread demonstrated that a single git commit message could burn a Claude Code user's entire session quota via a schema-driven attack ("OpenClaw"). The pattern is general: any AI agent that ingests untrusted text — code review bots, documentation summarizers, RAG agents, support copilots — is exposed to prompt injection. Most teams ship without any input-side defense.
InjectShield is one layer of a defense-in-depth strategy. It's not a silver bullet. Use it alongside system-prompt hardening, tool sandboxing, and output filtering.
Install as an MCP (Claude Code, Cursor, Cline, ...)
InjectShield ships a native MCP server at @injectshield/mcp. Once installed, your agent has three new tools — scan, scan_url, patterns — for input-side defense without writing any glue code.
# Claude Code:
claude mcp add injectshield --env INJECTSHIELD_API_KEY=is_live_… -- npx -y @injectshield/mcp
For Cursor / Cline / other MCP clients, see packages/injectshield-mcp/README.md.
Quick start
# 1) Get a key (delivered by email):
curl -X POST https://api.injectshield.dev/v1/keys \
-H "Content-Type: application/json" \
-d '{"email":"you@company.com"}'
# 2) Scan:
curl -X POST https://api.injectshield.dev/v1/scan \
-H "Authorization: Bearer is_live_..." \
-H "Content-Type: application/json" \
-d '{"text":"ignore previous instructions","context":"user_input"}'
Or signup via the landing page: https://injectshield.dev — self-serve, email delivery.
What's open-source vs. managed
Live:
- Landing page + live demo: https://injectshield.dev
- API base:
https://api.injectshield.dev - Health: https://api.injectshield.dev/healthz
- Docs: https://injectshield.dev/docs
Open-source (this repo, MIT):
src/patterns.ts— the heuristic pattern library (~20 categorized rules).src/detect.ts— the detection engine (heuristic aggregation, sanitization).test/— the test suite.server/,public/— the full API + landing-page source.
Managed only (paid tiers):
- Hosted API with usage metering, dashboards, custom-pattern uploads, webhook alerts, no-logging mode (Pro), team accounts.
- Future: Workers AI / Anthropic semantic classifier with prompt-engineered injection detection.
Detection categories
| Category | Examples |
|---|---|
instruction_injection | "ignore previous instructions", "new system prompt" |
system_override | system-prompt leak, role-tag forgery, ChatML/Llama special tokens |
role_hijack | "you are now…", DAN, Developer Mode |
exfiltration | data sent to attacker URLs, markdown image exfil |
schema_attack | OpenClaw-style schema references |
encoding_smuggle | base64-decoded directives |
invisible_text | zero-width / bidi / Unicode-Tag smuggling |
tool_abuse | synthetic tool-call directives in untrusted text |
jailbreak_classic | DAN, "no restrictions", etc. |
Contributing patterns
Found a novel attack? Open a PR adding a PatternRule to src/patterns.ts with:
- A unique
id. - A
categoryfrom the enum above. - A
weightin [0, 1] — pick conservatively; the aggregation indetect.tscombines weights so every additional rule contributes meaningfully but isn't dominant. - A test in
test/detect.test.tscovering both a positive and a likely-benign negative example.
We auto-deploy merged patterns to the managed API. No-cost contributions get attribution in the changelog.
Running locally
npm install
npm test # 11 tests, ~20ms
DATABASE_URL=postgres://... npm run dev # boots Hono on :8080
License
MIT. InjectShield reduces but does not eliminate prompt-injection risk.
Acknowledgments
Built on Cloudflare Pages (frontend) + Railway (API) + Postgres + Anthropic Claude (semantic layer). Pattern library informed by HackAPrompt, the PINT benchmark, and a long list of public attack examples.
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
INJECTSHIELD_API_KEY*secretAPI key from https://injectshield.dev (free tier: 10K req/mo).
INJECTSHIELD_API_BASEdefault: https://api.injectshield.devOverride the API base URL for self-hosted deployments.
Categories
Registryactive
Package@injectshield/mcp
TransportSTDIO
AuthRequired
UpdatedMay 6, 2026
