jwt-oauth-token-attacks

SUSPICIOUS: the skill is internally coherent as an authentication attack playbook, but that stated purpose is itself a high-risk offensive-security capability for an AI agent. Install provenance is mostly acceptable and same-project/official where checked, so the main concern is not malware or credential harvesting by the skill author; it is that the skill equips the agent to run token forgery, brute-force, OAuth account-binding, and token theft attacks against external targets.