exploiting-jwt-algorithm-confusion-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to capture a valid JWT (a sensitive bearer token) and then construct and send forged tokens by including those JWT values verbatim in Authorization headers and prints/inspects token/header data, which requires handling and outputting secret token values.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content explicitly instructs and provides code to forge JWTs, bypass signature verification (alg:none and algorithm confusion), perform JKU/KID header injection, and escalate privileges—behavior intended to enable unauthorized access and account takeover if used without authorization.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow and code explicitly fetch and parse untrusted public endpoints (e.g., SKILL.md Step 2 uses requests.get on /.well-known/jwks.json and the OpenID configuration, and Step 5 discusses JKU/JWKS URLs) and scripts/agent.py reads/uses those JWKS/JKU/X5U values to construct and sign tokens, so third-party content is ingested and can materially influence the agent's actions.