The Agent Skills Directory

[SAFE]: The skill is a legitimate security auditing utility. All scripts and instructions are focused on identifying common misconfigurations in OAuth 2.0 and OIDC flows. The provided logic is transparent and follows industry-standard testing methodologies.- [EXTERNAL_DOWNLOADS]: The skill fetches configuration metadata from the target server's OpenID discovery endpoint. This is a standard step in OAuth reconnaissance and does not involve the execution of remote scripts or the installation of unverified software.- [DATA_EXFILTRATION]: Network operations are limited to communicating with the authorization and token endpoints specified by the user for testing purposes. No sensitive data from the host environment is accessed or transmitted to unauthorized domains.- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes data from external endpoints. Ingestion points: Data is retrieved from the /.well-known/openid-configuration endpoint of the target server in both SKILL.md and scripts/agent.py. Boundary markers: None are present to delimit the untrusted input. Capability inventory: The skill can perform network requests using the requests library and write a local report file. Sanitization: While the script extracts values from the JSON response, it treats them as URL strings rather than executable instructions. This surface is considered safe within the context of a specialized security tool.

testing-oauth2-implementation-flaws