The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides bash loops and a Python agent that execute curl and python3 commands to test OAuth authorization and token endpoints.
[EXTERNAL_DOWNLOADS]: The scripts/agent.py tool performs network requests to fetch OIDC discovery documents and test responses from external authorization servers.
[DATA_EXFILTRATION]: The skill is designed to send test parameters, such as Client IDs and redirect URIs, to external servers to evaluate their security posture during vulnerability research.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted data from OIDC discovery endpoints.
Ingestion points: scripts/agent.py reads JSON from user-provided URLs in discover_oidc_config.
Boundary markers: The script does not use specific delimiters or instructions to ignore potential commands within the OIDC JSON.
Capability inventory: The tool performs network calls and parameter fuzzing based on data retrieved from external configurations in test_redirect_uri_bypasses and others.
Sanitization: The script uses standard JSON parsing but lacks explicit schema validation or filtering for the ingested configuration data.

exploiting-oauth-misconfiguration