Stats
Actions
Available In
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
By sanchay-t
AI-powered permission gatekeeper — routes permission requests to Opus 4.5 via AWS Bedrock for context-aware auto-approval with instant DENY safety net
AI-powered permission gatekeeper for Claude Code. Routes permission requests to Opus 4.5 for context-aware auto-approval, with an instant safety net for dangerous patterns.
type: "prompt"?Other approaches use Claude Code's built-in type: "prompt" hooks for permission evaluation. This doesn't work. Due to a known issue, type: "prompt" hooks acknowledge the permission but the dialog still appears — defeating the purpose.
Opus Shield uses type: "command" with hookSpecificOutput JSON, which is the only approach that actually suppresses the permission dialog.
Permission request arrives
│
├── In your AllowList? → auto-approved instantly (hook never fires)
│
└── Not in AllowList? → Opus Shield fires
│
├── DENY safety net (~40ms)
│ Instant regex matching for dangerous patterns:
│ • rm -rf /, sudo, chmod 777
│ • Pipe-to-shell (curl | bash)
│ • Data exfiltration (pipe to curl/wget/ssh)
│ • System path edits (/etc, /usr, /bin)
│ • Secrets access (.ssh, .aws, .env)
│ • Internal IP access (localhost, 127.0.0.1)
│
└── Opus 4.5 review (~2-4s)
Context-aware AI evaluation via AWS Bedrock or Anthropic API.
Reads your session transcript to understand what you're working on.
Returns ALLOW or DENY based on whether the action makes sense.
| Tool | What's checked |
|---|---|
| Bash | Command content, working directory, description |
| Edit/Write | File path (blocks system paths, secrets, .env) |
| WebFetch | URL, domain (blocks internal IPs, auth tokens in URLs) |
jq installed (brew install jq)aws CLI installed (for Bedrock backend) or curl (for Anthropic API)/plugin marketplace add sanchay/opus-shield
/plugin install opus-shield@sanchay
git clone https://github.com/sanchay/opus-shield.git
claude --plugin-dir ./opus-shield
After installing, run the setup:
bash opus-shield/src/setup.sh
This copies the hook script to ~/.opus-shield/ and creates a credential file.
Edit ~/.opus-shield/.env with your credentials:
Option A — AWS Bedrock (recommended):
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=your-key
AWS_SECRET_ACCESS_KEY=your-secret
Option B — Anthropic API:
ANTHROPIC_API_KEY=sk-ant-...
Restart Claude Code for hooks to take effect.
Opus Shield works best when paired with a generous AllowList. Safe commands in the AllowList are auto-approved instantly (0ms) and never fire the hook. Only unknown/risky commands reach Opus Shield.
Add this to your ~/.claude/settings.json:
{
"permissions": {
"allow": [
"Read", "Glob", "Grep", "Task", "WebSearch",
"Bash(git:*)", "Bash(npm:*)", "Bash(pnpm:*)", "Bash(yarn:*)",
"Bash(npx:*)", "Bash(node:*)", "Bash(tsc:*)", "Bash(tsx:*)",
"Bash(python3:*)", "Bash(biome:*)", "Bash(eslint:*)",
"Bash(prettier:*)", "Bash(jest:*)", "Bash(vitest:*)",
"Bash(ls:*)", "Bash(cat:*)", "Bash(grep:*)", "Bash(find:*)",
"Bash(head:*)", "Bash(tail:*)", "Bash(wc:*)", "Bash(mkdir:*)",
"Bash(touch:*)", "Bash(cp:*)", "Bash(mv:*)", "Bash(diff:*)",
"Bash(sort:*)", "Bash(jq:*)", "Bash(echo:*)", "Bash(pwd:*)",
"Bash(which:*)", "Bash(file:*)", "Bash(stat:*)"
]
}
}
Commands NOT in this list (like curl, rm, docker, lsof) will be evaluated by Opus Shield.
| Path | Latency | When |
|---|---|---|
| AllowList | 0ms | Safe commands (git, npm, ls, etc.) |
| DENY safety net | ~40ms | Dangerous patterns (sudo, rm -rf /, etc.) |
| Opus L2 | 2-4s | Everything else (curl, docker, unknown commands) |
settings.local.jsonClaude Code accumulates user-approved commands in .claude/settings.local.json (project-level). These bypass hooks entirely. If a command isn't hitting Opus Shield, check this file and clean out accumulated permissions.
| Feature | Opus Shield | type: "prompt" plugins | AllowList only |
|---|---|---|---|
| Actually auto-approves | Yes | No (dialog still shows) | Yes |
| Context-aware | Yes (reads session) | Partial | No |
| Instant dangerous blocks | Yes (DENY net) | No | No |
| Covers Edit/Write/WebFetch | Yes | Usually Bash only | N/A |
| Latency for unknown commands | 2-4s | N/A (broken) | N/A (shows dialog) |
Check if hooks are loaded:
/hooks
Enable debug mode to see hook execution:
claude --debug
Check the debug log for PermissionRequest entries to verify the hook is firing.
MIT
Executes bash commands
Hook triggers when Bash tool is used
Modifies files
Hook triggers on file write and edit operations
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
npx claudepluginhub sanchay-t/opus-shieldSmart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones
banyuduAchieve flow state safely with Claude Code. Auto-approves routine work, gates risky actions, hard-blocks dangerous patterns. Dual enforcement (skill + hooks), token cap for cost governance, full audit trail. Zero dependencies.
Myr-AyaA secure runtime for Claude Code. Intercepts every tool call with policy-based allow/block/ask decisions, evasion detection, path fencing, file snapshots, and audit logging.
railyard-devProtect secrets and credentials from Claude Code. Blocks writes to .env files, detects API keys in shell commands, prevents hardcoded tokens, and guards service account JSON files.
yurukusaSafety hooks to block or require user approval for dangerous commands (rm, git operations, .env access, file size limits)
pchalasaniBlock destructive git and filesystem commands before execution
kenryu42