Stop secrets leaking into public LLMs
Your team pastes API keys, passwords and source code into ChatGPT, Claude and Gemini every day. Prompt Guard strips secrets and PII out of a prompt before it leaves the machine — reversibly, so the answer stays useful — and turns every redaction into auditor-ready AI-governance evidence. Local-first. Free. Open source.
Prompt hygiene, on your machine
Most data-loss tools are network proxies the prompt has to travel to — and cert-pinning defeats them. Prompt Guard is local-first: the prompt is scanned on your laptop, the detection rules are open, and the redaction is reversible so the answer stays useful.
Connect it to the ISO 42001 AI Management System in CATAAM and every prevented leak becomes continuous evidence that data going to public models is controlled.
What it does
Four ways to keep sensitive data out of the models — and prove it.
Redact in place
Put one prefix in front of your LLM command and keep typing as normal. Secrets in the args or piped stdin are swapped for placeholders before the call; the answer is re-hydrated locally — so it stays useful.
Block inside Claude Code
A UserPromptSubmit hook guards the interactive Claude Code TUI. If a typed prompt contains a secret, it is blocked before it reaches the model — fail-closed — and the prevented egress is logged.
Auditor-ready evidence
Every redaction or block becomes an immutable control event — previews only, never the raw secret — mapped to ISO 42001, NIST AI RMF and EU AI Act Art.12, and pushed into the CATAAM platform.
Open detection rules
AWS / GitHub / OpenAI / Anthropic / Google / Slack / Stripe keys, private keys, JWTs, PII and high-entropy tokens — all in inspectable rule packs you can fork and tune. Adding a pattern needs no code change.
From install to evidence in minutes
Pure stdlib core. No proxy, no cloud, no account to redact.
Install
pip install -e prompt-guard puts the promptguard command on your PATH. The core is pure Python stdlib — zero runtime dependencies.
Guard your terminal
promptguard install adds a shell snippet so claude/ask auto-guard the one-shot path. Keep using your LLM exactly as before.
Guard Claude Code
promptguard install-hook wires a block-on-secret hook into Claude Code so secrets never leave an interactive session.
Prove it
promptguard push streams the evidence into CATAAM, where your ISO 42001 AI data-egress control turns green automatically.
Honest coverage, real evidence
No single tool covers every surface, so we’re precise about what each one does — and every prevented leak, redacted or blocked, becomes a control event you can show an auditor.
| Surface | Behavior |
|---|---|
| One-shot / piped CLI (claude -p, llm, ollama) promptguard wrap | Silently redact (reversible) |
| Interactive Claude Code session promptguard install-hook | Block-on-secret (fail-closed) + evidence |
| Browser chat (ChatGPT / Claude / Gemini web) Browser extension | Redact pastes before they’re sent |
- Evidence carries previews only — never the raw secret
- Mapped to ISO 42001, NIST AI RMF & EU AI Act Art.12
- Open, inspectable detection rules (MIT)
Frequently Asked Questions
- What is Prompt Guard?
- Prompt Guard is a free, open-source tool from CATAAM that detects and redacts secrets, API keys and PII from a prompt before it leaves your machine, so they never reach public large language models like ChatGPT, Claude or Gemini. Redaction is reversible — the secret becomes a placeholder and the model’s answer is re-hydrated locally — and every prevented leak is recorded as auditor-ready evidence. It is MIT licensed and runs on a laptop.
- How does Prompt Guard protect secrets without breaking my workflow?
- It scans the prompt on-device and swaps each detected secret for a stable placeholder such as «PG:AWS_ACCESS_KEY_ID:1» before the request is sent. The model reasons over the placeholder and its answer is re-hydrated locally, so you keep a useful response while the real secret never leaves the machine. Nothing is sent anywhere to perform the scan itself.
- Does it work inside interactive Claude Code?
- Yes. A shell wrapper only covers one-shot or piped calls, so for the interactive Claude Code TUI, Prompt Guard installs a UserPromptSubmit hook. Because Claude Code hooks cannot rewrite a prompt, it runs fail-closed: a prompt containing a secret is blocked before it reaches the model, and the blocked egress is logged as compliance evidence. Run promptguard install-hook to enable it.
- How is this different from a network DLP proxy?
- Most data-loss tools are network proxies or SaaS that the prompt must travel to in order to be inspected — and they are defeated by certificate pinning. Prompt Guard is on-device and local-first: the prompt is scanned on your laptop, the detection rules are open and inspectable, and the redaction is reversible. It is built for the AI-governance era, emitting evidence mapped to AI frameworks rather than just a log line.
- Which compliance frameworks does the evidence map to?
- Each event maps the prevented leak to ISO/IEC 42001:2023 (AI management), the NIST AI RMF and its Generative AI Profile, the EU AI Act (Article 12 logging and Article 10 data governance), ISO 27001 (A.8.12 data-leakage prevention) and SOC 2 (CC6.7). Pushed into CATAAM, the events latch as evidence for the “AI prompt/data egress to public LLMs is controlled” control.
- Is Prompt Guard free and open source?
- Yes. Prompt Guard is MIT licensed and developed in the open at github.com/cataam-security/cataam. The core has no runtime dependencies. The highest-leverage way to contribute is to add a detection rule to rules.json.
- What does it detect?
- Out of the box it detects AWS, GitHub, OpenAI, Anthropic, Google, Slack and Stripe keys, PEM private keys, JWTs, generic assigned secrets, high-entropy tokens, and PII such as emails, credit-card numbers (Luhn-checked), SSNs, phone numbers and private IPs. The rule packs are JSON and easy to extend for your own secret formats or regional PII.
- Does the evidence ever contain the raw secret?
- No. Evidence records carry only non-sensitive previews (for example “AKI…LE (20 chars)”), the detection category, severity and the mapped controls — never the raw value. The reversible mapping needed to re-hydrate an answer is kept locally in a vault and is never transmitted.
Keep your secrets out of the models
Free, open source, and running on your laptop in minutes.
Part of the CATAAM open-source security toolkit.
WATCH
See Prompt Guard in action
From a leaked AWS key to a green ISO 42001 control — in 80 seconds.