Runwall: Building Safety Guardrails for AI Coding Assistants to Mitigate Prompt Injection and Data Leak Risks

Runwall is a security tool designed specifically for AI coding assistants like Claude Code and Codex, aiming to mitigate risks such as prompt injection, data leaks, dangerous command execution, and MCP tool abuse. It adopts a YARA-style modular guard package design and offers two working modes: audit mode (for security assessment and compliance checks) and runtime mode (for real-time interception and review). All security checks are performed locally, balancing security and development efficiency.

The popularity of AI coding assistants brings convenience but also introduces multiple security risks:

1. Secret Leakage: Accidentally reading and leaking sensitive information such as API keys and database passwords;
2. Prompt Injection: Injecting malicious instructions by contaminating data sources (files, web pages, shell outputs, etc.);
3. Dangerous Command Execution: Executing destructive commands (e.g., rm -rf /) or establishing persistent backdoors;
4. MCP Tool Abuse: Malicious MCP servers, parameter smuggling, batch reading of sensitive data, etc.;
5. Git Operation Risks: Forced pushes, history rewriting, injecting malicious code;
6. Trust Boundary Breach: Modifying hosts files, sudo policies, etc., to break local trust boundaries.

Runwall's design follows five principles:

1. Runtime Security First: Real-time interception of AI assistant operations to address dynamic threats;
2. Modular Guard Packages: YARA-like modular design where each guard package targets one type of attack;
3. Local Priority: All security checks are completed locally, with no sensitive data sent to the cloud;
4. Transparent and Auditable: Records security events to local logs, supporting audit and traceability;
5. Low-Friction Experience: Provides three configuration files (strict/balanced/relaxed) to balance security and efficiency.

Runwall supports two working modes:

• Audit Mode: Scans AI assistant configurations, MCP servers, etc., to generate security score reports, suitable for pre-installation evaluation or CI/CD compliance checks;
• Runtime Mode: Real-time interception of operations, subdivided into three integration methods:
  1. Native Runtime Adapter: Directly integrated into tools that support hooks (e.g., Claude Code);
  2. Plugin/Bundle Installation: Installed via Codex plugin market or OpenClaw bundle;
  3. Inline MCP Gateway Mode: Acts as an MCP proxy to provide protection for clients like Cursor.

Runwall's protection covers multiple dimensions:

1. Secret Protection: Blocks reading of sensitive files (e.g., .env, .ssh/id_rsa) and forwarding of sensitive data;
2. Prompt Injection Protection: Scans for injection-inducing information in content like files and web pages;
3. Dangerous Command Interception: Blocks destructive shell commands, dangerous Git operations, and persistence mechanisms;
4. MCP Security: Intercepts tool calls, reviews parameters and responses, and enforces outbound policies;
5. Agent Session Protection: Prevents access to sensitive resources like browser sessions and cluster keys;
6. Audit Evasion Detection: Identifies and blocks behaviors like log clearing.

Runwall provides three preset configuration files:

• Strict: Suitable for sensitive environments with the strictest protection;
• Balanced: Recommended for most users, balancing security and efficiency;
• Relaxed: Suitable for personal development with minimal interference.

Platform Support:

• Tools: Claude Code (native hooks), Codex (plugin/bundle), Cursor/Windsurf (MCP gateway), etc.;
• OS: Full support for macOS/Linux, Windows supported via Git Bash or WSL.

Limitations: Runwall is a local execution layer that reduces risks, not a complete security solution. Additional controls (e.g., network isolation, least privilege) are required, along with regular log reviews and updates. It has limited value in pure chat scenarios.

Future Outlook:

• More intelligent semantic analysis (beyond regular expressions);
• Integration with SIEM/SOAR systems;
• Dedicated guard packages for specific industry compliance;
• Community contributions to enrich protection capabilities.