moai-security-identity

This Skill implements standard enterprise identity functionality (SAML, OIDC, JWT validation, SCIM) and is coherent with its stated purpose. No direct malicious code patterns (remote shell, obfuscated payloads, curl|bash install chains, known exfiltration endpoints like webhook.site) are present. The primary security concerns are operational: hardcoded/cleartext secrets in the example, missing critical helper implementations (webhook signature verification and JWK-to-PEM conversion), and the data privacy risk of forwarding identity/provisioning PII to a third‑party Context7 service. These issues increase the chance of credential or PII exposure if the recipe is copied into production without secure implementations and proper access controls. Recommend: (1) never embed client_secret in code; use environment variables/secure vaults; (2) ensure jwkToPem and verifyWebhookSignature are implemented using vetted libraries and strict checks; (3) document and control any outbound PII to Context7 (consent, minimal fields, encryption, contractual protections); (4) sanitize error messages and ensure key/material file permissions are strict.