Stop shipping vulnerable code
Security hardening and production-grade error handling expertise for Claude Code
Install · Coverage · Examples · How it Works
62% of AI-generated code contains at least one security vulnerability.
45% fail OWASP Top 10 checks. Error handling gaps are 2x more common in AI code than in human-written code. Claude is excellent at writing code fast - but without active guidance, it takes shortcuts: concatenating user input into SQL queries, using MD5 for passwords, swallowing exceptions silently, leaking stack traces to clients.
ShieldCode fixes this by giving Claude a set of non-negotiable rules that activate automatically whenever it touches user input, authentication, databases, APIs, file operations, or error handling.
Security (8 rules):
| Rule | What it enforces |
|---|---|
| Input Validation | Allowlist patterns, type/length/format/range checks |
| SQL Injection Prevention | Parameterized queries only - no string concatenation |
| XSS Prevention | Safe DOM APIs, Content Security Policy, template autoescape |
| Authentication | bcrypt/argon2 only, full JWT verification, rate limiting, secure cookies |
| Authorization | Server-side role checks, resource ownership validation |
| Secrets Management | Environment variables only - no hardcoded keys, no secret logging |
| File Security | Path traversal prevention, upload type/size restrictions |
| Dependency Safety | Only real, known packages (slopsquatting prevention) |
Error Handling (6 rules):
| Rule | What it enforces |
|---|---|
| Exception Hierarchy | Typed error classes - no raw Error throws |
| HTTP Status Codes | Correct 400/401/403/404/409/422/429/500 usage |
| Secure Logging | Structured JSON with correlation IDs, no PII or secrets |
| Retry with Backoff | Exponential backoff + jitter on all external calls |
| Circuit Breaker | Fail fast, recover gracefully |
| Async Error Safety | Handled promises, no unhandled rejections |
Every rule includes concrete UNSAFE vs SAFE examples in TypeScript and Python.
SQL Injection
// UNSAFE
db.query(`SELECT * FROM users WHERE id = '${id}'`);// SAFE
db.query('SELECT * FROM users WHERE id = $1', [id]);Password Hashing
// UNSAFE
const hash = crypto.createHash('md5').update(password).digest('hex');// SAFE
const hash = await bcrypt.hash(password, 12);Error Leakage
// UNSAFE
res.status(500).json({ error: err.stack });// SAFE
logger.error({ correlationId, err });
res.status(500).json({ error: 'Internal server error', correlationId });- Install ShieldCode (one command)
- Write code normally
- Claude automatically follows secure patterns
- Ship secure code every time
ShieldCode is a knowledge skill - a SKILL.md file that Claude Code loads from ~/.claude/skills/shieldcode/. No tools. No scripts. No external calls. Pure guidance that shapes Claude's output at the source.
curl -fsSL https://raw.githubusercontent.com/nikolasdehor/shieldcode/main/install.sh | bash# Claude Code plugin
claude plugins install github:nikolasdehor/shieldcode# Manual
mkdir -p ~/.claude/skills/shieldcode
curl -o ~/.claude/skills/shieldcode/SKILL.md \
https://raw.githubusercontent.com/nikolasdehor/shieldcode/main/skills/shieldcode/SKILL.mdAfter installing, restart Claude Code. The skill activates automatically on security-sensitive code.
- Claude Code - any plan (Free, Pro, Teams)
- That's it. Zero dependencies.
- v1.0 - OWASP Top 10 + Error Handling (current)
- v1.1 - CSRF protection, rate limiting patterns
- v1.2 - Database design security patterns
- v2.0 - Auto-scan mode (detect vulnerabilities in existing code)
MIT - see LICENSE
Built by Nikolas de Hor
Because 62% is not acceptable