OpenGuardrailsOpenGuardrailsBlog

2026-06-29

Guarding Claude Code with OpenGuardrails (even in bypass mode)

Install one plugin and risky Claude Code tool calls are denied before they run — even when you've turned permissions off.

Claude Code already has an auto-mode command classifier and an OS sandbox. So why add OpenGuardrails? Because of the gap those leave — the gap a real AMOS Stealer infection drove straight through (the incident):

So a single curl … | bash from a #1-ranked phishing site can run unchecked.

The enforcement point: PreToolUse, above the permission system

The key fact: PreToolUse hooks fire before Claude Code's permission-mode check, and a hook returning permissionDecision: "deny" blocks the call even in bypass mode. Users can't wave it away by changing modes. That's exactly where a guardrail belongs — and it's the one place the built-in classifier (auto mode only) can't reach.

The OGR plugin — openguardrails-instrumentation-claude-code — puts an OGR policy there:

/plugin marketplace add openguardrails/openguardrails-instrumentation-claude-code
/plugin install openguardrails@openguardrails
tool call → PreToolUse hook → @openguardrails/core Runtime
   → GuardEvent → composed Verdict → permissionDecision (deny | ask | allow)

It runs the real OGR runtime (@openguardrails/core), bundled so the plugin installs with just Node — no npm install. On a benign call it stays silent; it fails open on its own errors (a guardrail must never brick the agent) and fails closed on a matched rule.

What it catches out of the box

Tool callDecision
curl … | bash, obfuscated payload → shelldeny
rm -rf / / ~ / $HOMEdeny
egress to a host not in the allow-listask
reads of ~/.ssh, ~/.aws, .env, Keychain, cookiesask
everything elseallow (silent)

The rules are an OGR policy you own — and a security vendor's detector (threat-intel, a prompt-injection model) composes alongside them by implementing one interface, with no change to the plugin or Claude Code.

Honest limits

OGR guards the agent — it stops the dangerous call at the boundary. It is not antivirus / EDR: once code executes and escapes to OS-level root persistence, it's no longer an agent action. Keep the sandbox on and set allowUnsandboxedCommands: false for defense-in-depth. Full walkthrough: the Claude Code integration doc.


Spec · the incident this prevents · repo.