Home > MCP Servers > secure-claude-code

secure-claude-code

Security guardrails for Claude Code, MCP tools, and Claude cowork workflows. Local-first modular YARA-style guard packs for secrets, exfiltration, prompt injection, MCP abuse, and risky agent actions.

agent-security ai-security claude claude-code claude-cowork devsecops exfiltration-detection git-security mcp python

Why this rank:Release freshnessStrong adoptionHealthy release cadence

Description

README

Runwall

Runtime security guardrails for Claude Code, Codex, and MCP-based coding setups.

Runwall sits between the agent and risky actions so you can:

block obvious bad shell, git, MCP, and exfiltration flows
scan a repo or runtime setup before enabling it
keep a practical security baseline without turning normal coding into sludge

Why Use It

Coding agents can:

run shell commands
edit files
push git changes
call MCP tools
touch secrets, browsers, databases, and local services

That is useful, but it is also enough to leak data or damage a machine fast.

Runwall helps reduce that risk with:

preflight checks before risky actions run
output inspection after tools return untrusted content
local trust tracking for tools, hooks, data stores, IPC targets, and approvals
installable profiles: minimal, balanced, and strict

Fast Start

Claude Code

claude plugin marketplace add efij/secure-claude-code
claude plugin install runwall@runwall
claude plugin list

Expected result:

runwall@runwall
Status: enabled

Codex

If your Codex supports local bundle install, install this repo as a plugin bundle.

Fallback:

./bin/runwall generate-runtime-config codex balanced

Local CLI Install

git clone https://github.com/efij/secure-claude-code.git
cd secure-claude-code
./bin/runwall install balanced
./bin/runwall doctor

Profiles

minimal: lowest friction
balanced: sensible default
strict: strongest blocking and review prompts

What It Protects

shell execution
git and repo actions
MCP requests and responses
plugin and skill trust boundaries
secrets and local credential stores
local services, IPC, and browser sessions
destructive actions and production access

Protection families

Secrets & Identity
Supply Chain & Dependencies
Git & Source Control
MCP, Plugins & Skills
Runtime, Network & Egress
Infra & Production Access
Trust, Persistence & Evasion
Quality & Workflow
Memory & Knowledge
SaaS & Control Planes
Fileless & Inline Execution
Remote Content Promotion
Local Data Stores
Local IPC & Helpers
Publish, Release & Supply Chain
Destructive Actions & Blast Radius

Full guard inventory: GUARDS.md

Common Commands

./bin/runwall install balanced
./bin/runwall doctor
./bin/runwall audit .
./bin/runwall list protections
./bin/runwall list runtimes
./bin/runwall generate-runtime-config codex balanced
./bin/runwall generate-runtime-config cursor balanced
./bin/runwall generate-runtime-config windsurf balanced
./bin/runwall generate-runtime-config claude-desktop balanced

Advanced trust-plane commands

./bin/runwall tools list --json
./bin/runwall tools approve <name-or-path>
./bin/runwall hooks list --json
./bin/runwall hooks diff <path-or-key>
./bin/runwall approvals list --json
./bin/runwall services list --json
./bin/runwall data list --json
./bin/runwall ipc list --json
./bin/runwall browser sessions --json
./bin/runwall flow list --json
./bin/runwall agents graph --json
./bin/runwall memory list --json
./bin/runwall knowledge list --json
./bin/runwall review list --json
./bin/runwall artifacts list --json
./bin/runwall release list --json
./bin/runwall destructive list --json
./bin/runwall handoff graph --json
./bin/runwall auth list --json
./bin/runwall apps list --json
./bin/runwall safety list --json

Supported Runtimes

Runtime	Status	How
Claude Code	First-class	native plugin hooks
Codex	Supported	plugin bundle or generated MCP config
Cursor	Supported	generated `mcp.json`
Windsurf	Supported	generated `mcp_config.json`
Claude Desktop	Supported	generated `claude_desktop_config.json`
Generic MCP clients	Supported	inline MCP gateway
CI	Supported	CLI policy checks

More detail: RUNTIMES.md

Audit First

If you want to inspect before enabling:

./bin/runwall audit .
./bin/runwall audit . --format html --output runwall-audit.html
./bin/runwall audit . --format sarif --output runwall-audit.sarif

Troubleshooting

Claude plugin says `failed to load`

Run:

claude plugin uninstall runwall@runwall
claude plugin marketplace remove runwall
claude plugin marketplace add efij/secure-claude-code
claude plugin install runwall@runwall
claude plugin list

You want:

Status: enabled

If GitHub still serves an older broken marketplace state, install from a local checkout until the fix is pushed:

cd ..
git clone https://github.com/efij/secure-claude-code.git
claude plugin marketplace add ./secure-claude-code
claude plugin install runwall@runwall

CI is failing

Run the local smoke checks:

bash tests/smoke.sh

If you only want the quick sanity path:

bash -n bin/shield install.sh update.sh uninstall.sh hooks/lib/patterns.sh tests/smoke.sh
python3 -m py_compile scripts/runwall_tools.py
./bin/runwall generate-plugin-hooks balanced /tmp/runwall-hooks.json
claude plugin validate .

Install Methods

More install options

macOS / Linux bootstrap

curl -fsSL https://raw.githubusercontent.com/efij/secure-claude-code/main/scripts/bootstrap.sh | bash -s -- --repo efij/secure-claude-code --ref main --profile balanced

Windows bootstrap

irm https://raw.githubusercontent.com/efij/secure-claude-code/main/scripts/bootstrap.ps1 | iex; Install-Runwall -Repo "efij/secure-claude-code" -Ref "main" -Profile "balanced"

Thin compatibility wrappers

install.sh
update.sh
uninstall.sh

They forward to ./bin/runwall.

Project Docs

GUARDS.md: guard inventory
RUNTIMES.md: runtime adapters
SECURITY_MODEL.md: model and assumptions
CHANGELOG.md: release notes
CONTRIBUTING.md: contributor notes

License

MIT

Release History

Version	Changes	Urgency	Date
v15.0.0	Latest release: v15.0.0	High	4/9/2026
v14.0.0	Latest release: v14.0.0	High	4/9/2026
v13.0.0	Release v13.0.0	Medium	4/9/2026
v12.0.0	Release v12.0.0	Medium	4/9/2026
v11.0.0	Release v11.0.0	Medium	4/8/2026
v10.0.0	Release v10.0.0	Medium	4/8/2026
v9.0.0	Release v9.0.0	Medium	4/8/2026
v8.1.0	Release v8.1.0	Medium	4/8/2026
v7.1.0	Release v7.1.0	Medium	4/8/2026
v7.0.0	Release v7.0.0	Medium	4/8/2026
v6.5.0	Release v6.5.0	Medium	4/8/2026
v6.0.0	Release v6.0.0	Medium	4/8/2026
v5.0.0	Release v5.0.0	Medium	4/5/2026
v4.1.1	Runwall v4.1.1 is the patch release on top of the response-scanning and egress-enforcement work. Highlights: - keeps the new inline gateway response scanning and outbound policy layers from v4.1.0 - stabilizes the gateway smoke path on Windows runners - keeps required request-prompt verification on the deterministic egress-policy path - keeps the inline gateway server version, plugin metadata, and release assets aligned at 4.1.1 Verification: - claude plugin validate . - ./bin/runwall audit .	Medium	3/29/2026
v4.1.0	Runwall v4.1.0 verifies the inline MCP gateway foundation and adds the next two major runtime-control layers on top of it. Highlights: - verified the inline MCP / tool-call gateway against the original PRD scope - added deterministic response scanning before tool output reaches the runtime - added JSON-safe redaction so structured MCP responses stay valid where possible - added response-side prompt and block flows for suspicious URLs and staged shell snippets - added per-profile outbound destin	Medium	3/29/2026
v4.0.0	Release v4.0.0	Medium	3/29/2026
v3.3.5	Release v3.3.5	Medium	3/29/2026
v3.3.4	Release v3.3.4	Medium	3/29/2026
v3.3.3	Release v3.3.3	Medium	3/29/2026
v3.3.2	Release v3.3.2	Medium	3/29/2026
v3.3.1	Release v3.3.1	Medium	3/29/2026
v3.3.0	Release v3.3.0	Medium	3/29/2026
v3.2.0	Release v3.2.0	Medium	3/29/2026
v3.1.0	Release v3.1.0	Medium	3/29/2026
v3.0.0	Release v3.0.0	Medium	3/29/2026
v2.2.0	Release v2.2.0	Medium	3/29/2026
v2.1.0	Release v2.1.0	Medium	3/27/2026
v1.2.0	Secure Claude Code 1.2.0 expands plugin threat coverage beyond install-source checks into post-install plugin behavior, sideloaded extension paths, and trust-boundary tampering. ## New malicious-plugin guard packs - `plugin-hook-origin-guard` - blocks plugin hook commands that execute from temp, download, scratch, or other paths outside the plugin trust boundary - `plugin-exec-chain-guard` - blocks dangerous download-and-execute or inline interpreter chains embedded inside plugin hook and	Medium	3/26/2026
v1.1.7	Secure Claude Code 1.1.7 is the clean green public release for the new Claude Code plugin path and the latest guard additions. ## Why this release matters - install from Claude Code with `/plugin marketplace add efij/secure-claude-code` and `/plugin install secure-claude-code@secure-claude-code` - keep the CLI path for `minimal`, `balanced`, `strict`, `doctor`, `validate`, update, uninstall, and local audit review - ship a balanced plugin baseline through `.claude-plugin/` and generated `hooks	Medium	3/25/2026
v1.1.6	Release v1.1.6	Medium	3/25/2026
v1.1.5	Release v1.1.5	Medium	3/25/2026
v1.1.4	Release v1.1.4	Medium	3/25/2026
v1.1.3	Release v1.1.3	Medium	3/25/2026
v1.1.2	Release v1.1.2	Medium	3/25/2026
v1.1.1	Release v1.1.1	Medium	3/25/2026
v1.1.0	Secure Claude Code 1.1.0 adds a real Claude Code plugin install path and expands local-first guard coverage for plugin abuse, MCP install trust, browser profile theft, git history destruction, and release-signing key theft. ## Why this release matters This release makes Secure Claude Code easier to adopt for everyday Claude Code users. - install from the Claude Code plugin flow with `/plugin marketplace add efij/secure-claude-code` and `/plugin install secure-claude-code@secure-claude-code` -	Medium	3/25/2026
v0.9.0	# Secure Claude Code v0.9.0 Secure Claude Code is a modular security layer for Claude Code and Claude cowork-style agent workflows. This release turns the project into a YARA-style guard pack system for Claude Code security: - modular guard packs - profile-driven install (`minimal`, `balanced`, `strict`) - local-first hook enforcement - plain-text rule tuning - bootstrap install, repair, validation, and release packaging ## Highlights - Claude Code guardrails for git abuse, secret leakage, e	Medium	3/24/2026

Dependencies & License Audit

Loading dependencies...

Similar Packages

medusaAI-first security scanner with 76 analyzers, 9,600+ detection rules, and repo poisoning detection for AI/ML, LLM agents, and MCP servers. Scan any GitHub repo with: medusa scan --git user/repov2026.5.11

antigravity-awesome-skills🌌 Explore 255+ essential skills for AI coding assistants like Claude Code and GitHub Copilot to enhance your development workflow.main@2026-06-05

mcp-videoVideo editing MCP server for AI agents. 83 tools, 858 tests collected, 3 interfaces. Works with Claude Code, Cursor, and any MCP client. Local, fast, free.v1.5.1

opena2aOpen-source security tools for AI agents. Find vulnerabilities, fix root causes, prove compliance.v0.10.7

Agent-ReachEquip AI agents with internet access to gather real-time data from restricted or hard-to-reach online sources.main@2026-06-02

More in MCP Servers

AstrBotAgentic IM Chatbot infrastructure that integrates lots of IM platforms, LLMs, plugins and AI feature, and can be your openclaw alternative. ✨

agentscopeBuild and run agents you can see, understand and trust.

claude-plugins-officialOfficial, Anthropic-managed directory of high quality Claude Code Plugins.

langchain4jLangChain4j is an open-source Java library that simplifies the integration of LLMs into Java applications through a unified API, providing access to popular LLMs and vector databases. It makes impleme