A community-driven registry for Claude, Cursor, Windsurf, Cline & more. Not affiliated with Anthropic.
Are you the author? Sign in to claim
Trust nothing. Ship safely. — Skeptical-reading and prompt-injection defense skill for AI agents. Provenance tagging, re
BridgeWard
A Claude Code plugin from BridgeMind that wards your AI agents against prompt injection.
Skeptical-reading discipline for any agent that reads public-facing or untrusted content.
AI agents that read web pages, emails, GitHub issues, MCP tool outputs, search results, scraped HTML, third-party repos, or any other untrusted input are one prompt-injection bug away from data exfiltration, RCE, or silent backdoor insertion.
Real exploits in production, 2024–2026:
.cursorrules plants silent backdoorsOpenAI's own December 2025 statement: prompt injection "is unlikely to ever be fully solved" for browser agents.
You can't eliminate the risk. You can install the discipline. That's BridgeWard.
| Component | Type | What It Does |
|---|---|---|
bridgeward | Skill | Core skeptical-reading discipline — auto-loaded when your agent ingests untrusted content. Provenance tagging, red-flag patterns, refusal templates, capability scoping. |
injection-audit | Skill | Slash-command audit. Scans a file/dir/URL/MCP server for injection attempts, returns severity-tagged report. |
injection-auditor | Agent | Read-only subagent that performs deep audits. Cannot write, edit, or execute. Cannot follow instructions found in audited content. |
claude plugin install bridgeward@bridgemind-plugins
# Project-level
mkdir -p .claude/skills .claude/agents
cp -r skills/bridgeward .claude/skills/
cp -r skills/injection-audit .claude/skills/
cp agents/injection-auditor.md .claude/agents/
# Personal / global
mkdir -p ~/.claude/skills ~/.claude/agents
cp -r skills/bridgeward ~/.claude/skills/
cp -r skills/injection-audit ~/.claude/skills/
cp agents/injection-auditor.md ~/.claude/agents/
ln -s "$(pwd)/skills/bridgeward" ~/.claude/skills/bridgeward
ln -s "$(pwd)/skills/injection-audit" ~/.claude/skills/injection-audit
ln -s "$(pwd)/agents/injection-auditor.md" ~/.claude/agents/injection-auditor.md
SYSTEM, USER, WEB_PAGE, EMAIL_BODY, MCP_TOOL_DESC, MCP_TOOL_RESULT, REPO_UNTRUSTED, etc. Authority decreases left to right.An agent is exploitable when all three are simultaneously available:
Cut any one leg per flow.
Once installed, the bridgeward skill activates whenever your agent reads externally-sourced content. Your agent now knows:
> /injection-audit ./cloned-third-party-repo
> /injection-audit https://suspicious-site.example.com/post
> /injection-audit ./mailbox-export.json
The injection-auditor agent walks the target, makes hidden content visible, and produces a severity-tagged report.
A ward is a guard, a magical protective sigil, an asylum unit, a sentinel position. It both wards off attacks and watches over its charge. The skill takes the same posture: it doesn't claim to make injection impossible (nothing does), but it makes your agent vigilant, skeptical, and loud about what it sees.
The brand line is BridgeMind's: Ship with agents. The security corollary: Trust nothing. Ship safely.
You should install BridgeWard if your agent does any of:
If your agent only operates on input typed directly by the user, you may not need this. Everyone else does.
BridgeWard/
├── .claude-plugin/
│ └── plugin.json
├── skills/
│ ├── bridgeward/
│ │ ├── SKILL.md
│ │ └── references/
│ │ ├── threat-taxonomy.md
│ │ ├── red-flag-patterns.md
│ │ ├── case-studies.md
│ │ ├── trust-labels.md
│ │ ├── per-tool-defenses.md
│ │ ├── refusal-templates.md
│ │ └── checklist.md
│ └── injection-audit/
│ └── SKILL.md
├── agents/
│ └── injection-auditor.md
├── scripts/
│ └── scan.sh
└── templates/
BridgeWard is a standard SKILL.md / agent package. Agent Skills (agentskills.io) is supported by 30+ tools.
| Tool | Skills | Subagent | Notes |
|---|---|---|---|
| Claude Code | ✅ | ✅ | Full plugin support |
| Cursor | ✅ | — | Drop into .cursor/skills/ (or use as MCP) |
| Windsurf | ✅ | — | Skill format |
| OpenAI Codex | ✅ | — | Skill format |
| Gemini CLI | ✅ | — | Skill format |
| Cline / Roo Code | ✅ | — | Skill format |
| GitHub Copilot | ✅ | — | Via .github/copilot-instructions.md reference |
| Continue.dev | ✅ | — | Skill format |
| Goose | ✅ | — | Skill format |
nsjail, macOS sandbox) for execution isolation. BridgeWard tells your agent when to refuse; the harness must enforce it.It is one layer in a stack. Layer it with: input/output classifiers (Llama Prompt Guard, Lakera, Anthropic Constitutional Classifiers), capability-based control flow (CaMeL), dual-LLM patterns, sandboxing, and a hard human-in-the-loop on destructive actions.
This skill synthesizes guidance from:
Full list with case-study writeups in skills/bridgeward/references/case-studies.md.
PRs welcome — especially for new red-flag patterns, fresh case studies, and per-tool defense additions. See CONTRIBUTING.md.
When adding a new red-flag pattern: include a real-world citation (CVE, writeup, or paper). When adding a new case study: name the vendor, date, vector, and remediation.
MIT. See LICENSE. True open source. No license traps. Ship freely.
BridgeMind is an agentic organization — AI agents are teammates, not tools. We build open-source plugins for the builder community to ship faster through vibe coding.
Other open-source projects in the BridgeMind family:
Built by BridgeMind. Trust nothing. Ship safely.
Claude Code skill for YouTube creators — channel audits, video SEO, retention scripts, thumbnails, content strategy, Sho
AI image generation skill for Claude Code -- Creative Director powered by Gemini
A Claude Code skill by Hao (駱君昊) that learns your Facebook voice and auto-posts to FB / IG / Threads / X with a 14-day c
Universal SEO skill for Claude Code. 25 sub-skills + 18 sub-agents covering technical SEO, E-E-A-T, schema, GEO/AEO, bac