A community-driven registry for Claude, Cursor, Windsurf, Cline & more. Not affiliated with Anthropic.
Are you the author? Sign in to claim
Find vulnerabilities. Ship secure. — Senior security-engineer skill for AI coding agents. OWASP Top 10, CWE Top 25, secr
BridgeSecurity
A Claude Code plugin from BridgeMind that gives your AI agents the instincts of a senior application security engineer.
Stop shipping classic vulnerabilities — start shipping production-secure code.
AI coding agents write functional code, but they keep shipping the same classic vulnerabilities — SQL injection, XSS, IDOR, hardcoded secrets, missing auth on Server Actions, public S3 buckets, pull_request_target with checkout-of-fork-code. The bugs that have headlined CVEs for fifteen years.
BridgeSecurity fixes this. It's a set of detection patterns, vulnerability taxonomies, threat-modeling discipline, and a specialized auditor agent that teach your AI teammates to think like a senior security engineer — find the trust boundary, match input to sink, check auth on every state-changing path, treat every secret as already leaked, fail closed.
x-middleware-subrequest bypass classMath.random() for tokens, ECB mode, hardcoded keys, JWT alg: none, HS256/RS256 confusion, === for HMAC comparefile:// / TOCTOUpath.join without prefix-check, send_file with raw inputpickle.loads, yaml.load, ObjectInputStream, vm2*:*, 0.0.0.0/0:22, IMDSv1, missing encryptionprivileged: true, runAsUser: 0, hostNetwork, /var/run/docker.sock mount, image:latestpull_request_target + checkout-fork-code, mutable Action tags (CVE-2025-30066 class), shell-injection via PR title//evil.com bypass class| Component | Type | What It Does |
|---|---|---|
bridgesecurity | Skill | Core security discipline — auto-loaded when your agent reads, writes, or reviews code. Five Disciplines, threat-model checklist, detection cheat-sheet. |
security-audit | Skill | Slash-command audit. Scans a file/dir/PR/repo for vulnerabilities, returns severity-ranked report with CWE/OWASP mapping. |
security-auditor | Agent | Read-only senior security engineer subagent. Cannot write, edit, or delete. Walks every file with the OWASP Top 10 + CWE Top 25 + threat model. |
The skill ships with eight deep reference docs (~50 pages of practitioner-grade content):
claude plugin install bridgesecurity@bridgemind-plugins
# Project-level
mkdir -p .claude/skills .claude/agents
cp -r skills/bridgesecurity .claude/skills/
cp -r skills/security-audit .claude/skills/
cp agents/security-auditor.md .claude/agents/
# Personal / global
mkdir -p ~/.claude/skills ~/.claude/agents
cp -r skills/bridgesecurity ~/.claude/skills/
cp -r skills/security-audit ~/.claude/skills/
cp agents/security-auditor.md ~/.claude/agents/
Once installed, the bridgesecurity skill activates whenever your agent reads, writes, or reviews code. Your agent now thinks like a senior:
(source, sink) pair is a potential vulnerability.Before declaring code "secure":
If any answer is "I don't know" — the code is not cleared.
> /security-audit src/api/users.ts
> /security-audit https://github.com/owner/repo/pull/123
> /security-audit ./terraform/
> /security-audit "all server actions in this app"
The security-auditor agent walks the target, applies all 20 audit categories, and produces a severity-ranked report with:
Direct. Functional. Pairs with BridgeWard — Trust nothing. Ship safely. — for prompt-injection defense:
Both rooted in the BridgeMind brand line: Ship with agents. The security corollary: Find vulnerabilities. Ship secure.
You should install BridgeSecurity if your agent:
eval, exec, query, fetch, redirect, file paths, or secretsIf your agent only writes pure functions and unit tests, you may not need this. Everyone else does.
BridgeSecurity/
├── .claude-plugin/
│ └── plugin.json
├── skills/
│ ├── bridgesecurity/
│ │ ├── SKILL.md
│ │ └── references/
│ │ ├── vulnerability-taxonomies.md
│ │ ├── language-patterns.md
│ │ ├── frontend-patterns.md
│ │ ├── infrastructure-patterns.md
│ │ ├── secrets-patterns.md
│ │ ├── case-studies.md
│ │ ├── tooling.md
│ │ └── threat-modeling.md
│ └── security-audit/
│ └── SKILL.md
├── agents/
│ └── security-auditor.md
└── scripts/
└── scan.sh
BridgeSecurity uses the standard SKILL.md / agent package format supported by 30+ AI coding tools.
| Tool | Skills | Subagent | Notes |
|---|---|---|---|
| Claude Code | ✅ | ✅ | Full plugin support |
| Cursor | ✅ | — | Drop into .cursor/skills/ |
| Windsurf | ✅ | — | Skill format |
| OpenAI Codex | ✅ | — | Skill format |
| Gemini CLI | ✅ | — | Skill format |
| Cline / Roo Code | ✅ | — | Skill format |
| GitHub Copilot | ✅ | — | Via .github/copilot-instructions.md reference |
| Continue.dev | ✅ | — | Skill format |
| Goose | ✅ | — | Skill format |
It is one layer in your stack. Layer it with: SAST in CI, dependency scanning, secret scanning, container scanning, IaC scanning, DAST, runtime observability, and human security review for high-stakes changes.
This skill synthesizes guidance from:
PRs welcome — especially for new vulnerability patterns, fresh case studies, and per-language additions. See CONTRIBUTING.md.
When adding a new pattern: include a real-world citation (CVE, writeup, or CVSS score). When adding a new case study: name the vendor, date, vector, and remediation.
MIT. See LICENSE. True open source. No license traps. Ship freely.
BridgeMind is an agentic organization — AI agents are teammates, not tools. We build open-source plugins for the builder community to ship faster through vibe coding — and ship securely.
Built by BridgeMind. Find vulnerabilities. Ship secure.
Claude Code skill for YouTube creators — channel audits, video SEO, retention scripts, thumbnails, content strategy, Sho
AI image generation skill for Claude Code -- Creative Director powered by Gemini
A Claude Code skill by Hao (駱君昊) that learns your Facebook voice and auto-posts to FB / IG / Threads / X with a 14-day c
Universal SEO skill for Claude Code. 25 sub-skills + 18 sub-agents covering technical SEO, E-E-A-T, schema, GEO/AEO, bac