The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill recommends downloading the jwt_tool toolkit from its GitHub repository and installing the PyJWT library. These are well-known, legitimate tools required for the skill's stated purpose of security auditing.
[COMMAND_EXECUTION]: The documentation provides shell commands for using established security binaries such as hashcat and john the ripper to perform cryptographic analysis. These are intended for use by a practitioner during an authorized penetration test.
[SAFE]: The skill's primary automation script, agent.py, performs network-based security tests (e.g., algorithm manipulation and revocation checks) against user-defined target URLs. The operations are transparent and no evidence of unauthorized data exfiltration or credential harvesting was found.
[SAFE]: Evaluated the surface for indirect prompt injection regarding the processing of external JWT tokens. The agent.py script ingests untrusted tokens via the token argument, which are then decoded and displayed. Boundary markers are present in the output (e.g., [*] JWT Payload:) to distinguish data from instructions. The skill possesses network capabilities and file-write access for reporting, but it does not execute content derived from the token, maintaining a low risk profile.

testing-jwt-token-security