jwt-oauth-token-attacks

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.95). These URLs are highly suspicious because they include attacker-controlled domains, JWKS/jku injection endpoints, open-redirect/redirect-uri confusion, host/username typosquats and token-leak vectors (not official/trusted download sources), which can be used to host malicious keys/payloads, hijack OAuth flows, exfiltrate tokens or deliver malware even without direct .exe links.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicit, actionable offensive playbook describing how to forge and exfiltrate JWT/OAuth tokens, perform account takeovers (state/open-redirect/PKCE bypasses), abuse kid/jku headers to inject keys or fetch attacker JWKS, and use brute-force and file-read techniques — i.e., deliberate malicious guidance for credential theft and token-based backdoors.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow explicitly instructs fetching and using content from public endpoints (e.g., obtaining public keys from /api/.well-known/jwks.json or /certs and loading attacker-controlled JWKS at https://attacker.com/malicious-jwks.json in the "RS256→HS256" and "jku / x5u Header Injection" sections), meaning the agent would fetch and interpret untrusted third‑party content that could influence actions.