Unvalidated input is an open door. InputShield slams it shut.

Catch missing validation, unsafe deserialization, ReDoS, path traversal, command injection, and XSS across your entire codebase before attackers do. 90 checks. 6 categories. Zero false sense of security.

Get Started Free Get Pro
$ clawhub install inputshield click to copy
inputshield scan --verbose
$ inputshield scan
🛡️ InputShield v1.0.0
 
Scanning 128 files across 6 categories...
 
  api/exec.js:23
    CRITICAL CI-001: Shell command injection via user input
    → User-supplied string passed directly to child_process.exec()
    → Sanitize with shell-escape or use execFile() with argument array
 
  ml/model.py:45
    CRITICAL DS-003: Unsafe pickle.loads on untrusted data
    → Deserialization of user-controlled bytes enables arbitrary code exec
    → Use json.loads() or validate with hmac before unpickling
 
  upload/handler.ts:67
    HIGH PT-002: Path traversal via unsanitized filename
    → req.body.filename used in path.join() without stripping ../
    → Use path.basename() and validate against allowed directory
 
  components/Comment.jsx:31
    HIGH XS-001: innerHTML assignment with user-controlled data
    → Dynamic HTML from props rendered without sanitization
    → Use textContent, DOMPurify.sanitize(), or framework escaping
 
  validators/email.js:12
    MEDIUM RD-004: Catastrophic backtracking regex pattern
    → Nested quantifiers in /^([a-z]+)+@/ cause exponential time on crafted input
    → Use atomic groups or rewrite without nested repetition
 
  ────────────────────────────────────────────────────────────
  Score: 48/100 (Grade: F)
  2 critical  2 high  1 medium  |  5 findings in 128 files
 
  Fix the 2 critical issues first. Run inputshield fix --interactive for guided remediation.

Every input is an attack surface. Most of yours are unguarded.

SQL injection, command injection, path traversal, XSS — they all start the same way: user input that nobody validated. InputShield scans every entry point in your codebase and tells you exactly where the gaps are, before an attacker walks through them.

90
Validation checks
6
Attack categories
All
Languages supported
100%
Local scanning

What InputShield catches

90 checks across 6 critical input security categories

🔍

Input Validation 15 checks

Missing length checks, absent type validation, unchecked boundary values, unvalidated enum inputs, and missing null/undefined guards on user-facing endpoints.

📦

Deserialization 15 checks

Unsafe JSON.parse on unvalidated input, pickle.loads on untrusted bytes, yaml.load without SafeLoader, XML external entity injection, and unprotected object hydration.

ReDoS 15 checks

Catastrophic backtracking patterns, nested quantifiers, overlapping alternations, unbounded repetition on user input, and missing regex timeout guards.

📁

Path Traversal 15 checks

Directory traversal via ../ sequences, unsanitized filenames in path.join(), symlink attacks, null-byte injection in file paths, and missing chroot/jail constraints.

💻

Command Injection 15 checks

Shell exec with user input, eval() on dynamic strings, system() calls without escaping, backtick interpolation, and template literal code execution via user data.

⚠️

XSS / Output 15 checks

innerHTML with user data, dangerouslySetInnerHTML usage, template injection in server-rendered HTML, unescaped output in EJS/Pug/Handlebars, and href/src attribute injection.

How it works

Three commands. Full input security audit.

1

Install

$ clawhub install inputshield
2

Scan

$ inputshield scan
3

Fix

$ inputshield fix --interactive

Free vs Pro vs Team

Feature Free Pro Team
Files per scan 10 files Unlimited Unlimited
Input validation checks 5 basic All 15 All 15
Deserialization checks 3 basic All 15 All 15
ReDoS detection ✓ All 15 ✓ All 15
Path traversal checks ✓ All 15 ✓ All 15
Command injection checks ✓ All 15 ✓ All 15
XSS / output checks 3 basic All 15 All 15
Pre-commit hooks
HTML & JSON reports
SARIF output for CI
Guided remediation ✓ Interactive ✓ Interactive
Custom validation rules
Team policy enforcement
Baseline allowlisting ✓ Per-team
Support Community Email Priority + Slack

Simple, transparent pricing

Start scanning for free. Upgrade when your input security demands it.

Free
$0
  • 10 files per scan
  • 11 basic checks across 3 categories
  • Terminal output
  • Single directory scanning
  • Community support
Install Free
Pro
$19/mo
  • Unlimited files per scan
  • All 90 checks across 6 categories
  • Pre-commit hooks
  • HTML & JSON reports
  • Guided interactive remediation
  • Baseline allowlisting
  • Email support
Team
$39/mo
  • Everything in Pro
  • SARIF output for CI pipelines
  • Custom validation rules
  • Team policy enforcement
  • Per-team baseline management
  • Priority support + Slack

Your inputs are your biggest attack surface

Install InputShield in 30 seconds. Find every missing validation, unsafe deserializer, and injection vector before your next deploy.

$ clawhub install inputshield click to copy