performing-jwt-none-algorithm-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs capturing a real JWT and then embedding that token verbatim into Authorization headers/commands (and even shows example bearer tokens), which requires the LLM to handle and output sensitive token values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content provides explicit, actionable tooling and instructions to craft and send forged JWTs (including alg='none' and RS256->HS256 confusion), enabling token forgery, privilege escalation, and user impersonation — capabilities that can be directly abused for unauthorized access.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow and code (SKILL.md Step 3 and scripts/agent.py's test_jwt_endpoint) explicitly send requests to arbitrary user-supplied target URLs using requests.get and ingest the responses (status_code and body_snippet) to decide whether forged tokens are accepted, so untrusted third-party responses are read and can materially influence the agent's decisions.