Anthropic is honest about what their safeguards cover. Here is what you still need.
Prompt injection is a technique where an attacker attempts to override or manipulate an AI assistant instructions by inserting malicious text.
No browser agent is immune to prompt injection.
That is Anthropic, being accurate. Claude Code is powerful -- it can read your codebase, edit files, run commands, and with Dispatch or Cowork do all of that on a schedule from anywhere. That capability is what makes security matter.
Claude Code default model is permission-based. For interactive sessions that works. But two scenarios break it.
Claude Code Dispatch runs tasks on a schedule on Anthropic infrastructure. You are not there when it runs. No approval prompt. If the task gets hijacked mid-execution, you find out later.
Indirect prompt injection hides instructions in places Claude reads: a README, a code comment, a webpage, a document. By the time you see the approval request, the framing has already been shaped by injected content.
Lasso Security documented exactly this: The attacker never interacts with the AI directly. Instead they hide malicious instructions in places the AI will read.
Enabled with /sandbox, it isolates bash commands. If an injection succeeds, it limits blast radius. But it is not on by default and does not stop the injection from happening.
Hooks let you intercept tool calls with custom scripts. They catch what they are configured to catch. A sophisticated injection finds the gap.
Anthropic Cowork docs: Only connect these agents if you are comfortable with what they could do, not just what you intend them to do. That is good advice. Shoofly is how you act on it.
Shoofly is a pre-execution security layer for Claude Code. It works alongside Anthropic built-in protections and does behavioral analysis in real time.
Every tool call goes through Shoofly before it executes. Not logged after. Checked before.
Shoofly gives you a running audit trail of everything your unattended agent did, flagged by severity.
Dispatch tasks running on Anthropic cloud infrastructure do not execute local hooks. Shoofly covers local Claude Code CLI sessions fully.
Anthropic takes security seriously but safe depends on your threat model. Shoofly adds behavioral monitoring and pre-execution blocking that Anthropic tools are not designed to provide.
Malicious instructions hidden in content Claude reads -- a file, a webpage, an API response -- that override its intended behavior. Anthropic documents this as the primary risk.
Infrastructure security is solid. The risk is Claude behavior being redirected by injected content in the tasks it processes. That is a model behavior issue, not an infrastructure issue.
PromptArmor documented that Claude Cowork is vulnerable to file exfiltration via indirect prompt injection. An attacker embeds a malicious prompt in a file, Cowork reads it, then uploads your files to the attacker server. Confirmed against Claude Haiku and Opus 4.5.
Installs a local daemon and registers a hook in ~/.claude/settings.json. Before any tool call executes, the hook checks it against Shoofly threat policy. Pass means run. Fail means block and alert.
No. Works alongside them. Shoofly adds behavioral analysis at the tool-call level.
Basic watches and alerts. Advanced blocks before execution. Basic detects. Advanced stops. Advanced is 5 dollars per month.
It should not. Legitimate calls pass through. False positives can be allowlisted.
Local Claude Code CLI sessions are fully covered. Tasks dispatched from Anthropic's cloud infrastructure don't execute local hooks — that's a known limitation we're transparent about.
Shoofly intercepts the tool call before Claude executes it. Before the file is written, before the command runs, before the network request fires. Stopped before, not detected after.