How to Secure Claude Code with SpiderShield (3 Minutes Setup)
> TL;DR: Claude Code's PreToolUse hook lets you check every MCP tool call against SpiderShield's trust database before execution. Grade F tools get blocked. Grade D tools trigger a warning. Takes 3 minutes to set up.
---
The Problem
When Claude Code uses an MCP server, it trusts every tool blindly. There's no check for: - Is this MCP server known to have security issues? - Does it have token leakage vulnerabilities? - Has it been flagged as malicious?
You're relying on the agent to make safe choices — but the agent doesn't have security data.
The Solution: PreToolUse Hook + SpiderShield API
Claude Code supports hooks — scripts that run before/after tool calls. We use the PreToolUse hook to query SpiderShield's trust database (15,923 rated MCP servers) before every tool execution.
Claude Code wants to call mcp__stripe__create_charge
-> PreToolUse Hook fires
-> curl spiderrating.com/v1/public/check?tool=mcp__stripe__create_charge
-> API returns: { verdict: "safe", score: 7.2, grade: "B" }
-> Hook exits 0, tool call proceeds
If the server is rated F (malicious), the hook exits with code 2 — Claude Code blocks the tool call entirely.
Setup (3 Minutes)
Step 1: Download the hook script
mkdir -p ~/.claude/hooks
curl -o ~/.claude/hooks/spidershield-hook.sh \
https://raw.githubusercontent.com/teehooai/spidershield/main/scripts/spidershield-hook.sh
chmod +x ~/.claude/hooks/spidershield-hook.sh
Step 2: Add to Claude Code settings
Add this to ~/.claude/settings.json (global) or .claude/settings.json (per-project):
{
"hooks": {
"PreToolUse": [{
"matcher": "mcp__.*",
"hooks": [{
"type": "command",
"command": "~/.claude/hooks/spidershield-hook.sh"
}]
}]
}
}
Step 3: Done
Every MCP tool call now gets checked. No account needed. No API key. Completely free.
What Happens
| Server Grade | Score | Verdict | Action |
|---|---|---|---|
| A-C | 5.0+ | safe | Allow |
| D | 3.0-4.9 | risky | Allow + warning |
| F | <3.0 | malicious | Blocked |
| Not rated | — | unknown | Allow |
How It Works Under the Hood
- Claude Code fires
PreToolUseevent with JSON on stdin - Hook extracts
tool_name(e.g.,mcp__context7__resolve_library_id) - Calls SpiderRating public API:
/v1/public/check?tool=<name> - API looks up the MCP server, returns score + verdict
- Hook decides: exit 0 (allow) or exit 2 (block)
The API call adds ~50-100ms on first call. Non-MCP tools (Bash, Read, Write) are skipped entirely.
Privacy & Performance
- No data sent: Only the tool name is sent. No code, no arguments, no file contents.
- No account needed: The API endpoint is free and unauthenticated.
- Fast: ~50ms. 2-second timeout — if the API is down, the tool proceeds normally.
- Open source: The hook script and scanner are MIT licensed.
What's Next
This hook checks the server's reputation. We're building deeper runtime protection:
- Parameter-level checks: Block
amount > $500on financial tools - Output scanning: DLP for PII/secrets in tool results
- Policy engine: Custom allow/deny/escalate rules per tool
These are available in the open-source spidershield Python package today (pip install spidershield).
---
*SpiderShield is the open-source security scanner behind SpiderRating. GitHub | Leaderboard | Scan your server*