sast-jwt

SUSPICIOUS: the skill is internally coherent as a JWT SAST/audit skill, with no obvious credential harvesting or off-platform exfiltration, but it gives an AI agent offensive security review capability and processes untrusted repository content with subagents and file-write access. Main risk is enabling exploit-focused analysis, not malware-like behavior.