shield
Enable, disable, or check the shell shim protection.
The shield installs PATH-priority wrapper scripts that intercept all shell commands any AI tool executes. Universal protection — works with any tool that runs shell commands.
Usage
sl shield enable
sl shield disable
sl shield statusSubcommands
shield enable
Creates shimmed binary wrappers in ~/.securitylayer/bin/ and adds the directory to your shell profile's PATH (prepended for priority).
Shimmed binaries: bash, sh, zsh, python, python3, node, ruby, perl
Each shim calls sl check before forwarding to the real binary.
Exit codes: 0 on success, 1 if not configured or no binaries found.
shield disable
Removes all shim scripts from ~/.securitylayer/bin/ and removes the PATH entry from your shell profile.
Exit codes: Always 0.
shield status
Shows whether the shield is active, the shim directory status, and which binaries are shimmed.
Shield Status
Shim directory: ~/.securitylayer/bin/ (exists)
PATH includes shim dir: yes
Shimmed binaries: bash, sh, zsh, python, python3, node, ruby, perl
Status: ACTIVEExit codes: Always 0.
How it works
When an AI tool (Claude Code, Cursor, Aider, etc.) runs a shell command:
- The shimmed binary intercepts the call
sl checkevaluates the command against your policy- If allowed, the real binary executes the command
- If denied, the command is blocked with an error message
Caller detection identifies which AI tool triggered the command and applies the appropriate capability profile.
See also
- Shell shim integration
- check — The check command used by shims
- callers — AI tool caller detection