A new security tool called Shoofly launched this week with a simple pitch: catch what your AI agents shouldn't do before they do it. The drop-in runtime security solution works with both OpenClaw and Claude Code (including Cowork and Dispatch modes), sitting between the agent and your system to intercept malicious or dangerous tool calls before they execute.

The Threat Landscape Is Real

The timing couldn't be better. Anthropic explicitly states on their safety page that built-in Claude filters "are not a security boundary" — a admission that's been ringing alarm bells across the agentic AI space. Snyk's recent audit found that 36% of ClawHub skills contain security flaws, while Trend Micro documented actual malware distribution through the ClawHub marketplace. These aren't theoretical risks anymore; they're happening in production.

What Shoofly Actually Blocks

Shoofly detects eight distinct prompt injection patterns, including jailbreaks, instruction overrides, and base64-encoded payloads hidden in web content, emails, and documents. It intercepts credential theft attempts targeting API keys, GitHub tokens, and AWS credentials before they leave your machine. Unauthorized writes to sensitive paths like /etc/, ~/.ssh/, and LaunchAgents get blocked pre-execution. The tool also catches malware embedded in tool results — the exact attack vector Anthropic calls their #1 risk — and detects runaway agents stuck in loops from repeated tool calls or call floods.

Pricing and Implementation

The Basic tier is free forever: detects threats, sends notifications via Telegram or macOS alerts, maintains a local SQLite audit trail, but never blocks. The Advanced tier runs $5/month and adds pre-execution interception — actually stopping the dangerous call before it fires, not just logging it after. Both tiers use YAML policy-as-code that's fully auditable and forkable. Installation is a single curl command, no account creation, no credit card, no data leaves your machine.

Key Takeaways

  • Pre-execution blocking vs. post-detection alerting is the key differentiator
  • 100% local processing — no cloud API means no DPA headaches
  • Anthropic's own documentation admits their filters aren't a security boundary
  • 36% of ClawHub skills have known security flaws per Snyk
  • Free tier is genuinely free, not a freemium trap with limits