testing-jwt-token-security

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt repeatedly instructs embedding real JWTs and HMAC secrets into commands and code (e.g., Authorization headers, jwt.encode with "known_secret"/"cracked_secret_here"), which requires the agent to handle and output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a dual‑use offensive JWT attack toolkit that contains explicit, actionable instructions and automation to forge tokens, brute‑force HMAC secrets, perform JKU/x5u and KID injections and host attacker‑controlled JWKS — behaviors that enable credential theft, authorization bypass and remote attacker-controlled key usage and therefore have high abuse potential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly fetches and parses public, untrusted endpoints (see SKILL.md Step 3 and scripts/agent.py's check_jwks_endpoint which requests /.well-known/jwks.json and related URLs) and then uses those retrieved keys/JSON to craft and sign tokens that directly influence subsequent tests and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisites and workflow explicitly instruct fetching and running the jwt_tool repository (git clone https://github.com/ticarpi/jwt_tool.git and examples calling python3 jwt_tool.py), which means remote code would be fetched and executed as a required runtime dependency.