exploiting-jwt-algorithm-confusion-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly captures a real JWT (valid_token), prints token/header/public-key data, and embeds tokens verbatim into Authorization headers and outputs, which requires handling and outputting secret bearer-token values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive toolkit: it provides code and step-by-step instructions to forge JWTs (RS256→HS256 key-confusion using the public key, alg:none bypass), host attacker-controlled JWKS (jku/x5u) and perform KID injection/path traversal/SQL injection to obtain or impersonate privileged accounts and thereby enable unauthorized access and potential data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses untrusted public keys from third-party endpoints (e.g., Step 2 fetching /.well-known/jwks.json and the OIDC jwks_uri in SKILL.md) and Step 5 demonstrates JKU header injection pointing to attacker-controlled JWKS URLs (e.g., https://attacker.com/.well-known/jwks.json), and those fetched keys are directly used to craft and sign tokens that determine subsequent requests and actions.