skills/mukul975/anthropic-cybersecurity-skills/attacking-oauth-with-device-code-phishing/Gen Agent Trust Hub
attacking-oauth-with-device-code-phishing
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to download and install security research tools from public repositories and registries.
- Fetches the
TokenTacticsPowerShell module from GitHub:https://github.com/rvrsh3ll/TokenTactics.git. - Installs the
roadtoolsandroadtools_authpackages from the standard Python Package Index (PyPI). - [COMMAND_EXECUTION]: The workflow relies on executing shell commands and scripts to interact with identity providers.
- Uses
curlto send POST requests to Microsoft's OAuth 2.0 device-code and token endpoints. - Runs a custom Python script (
agent.py) and PowerShell commands (Get-AzureToken,Invoke-RefreshTo...) to automate token polling and exchange. - [DATA_EXFILTRATION]: The skill's primary objective is the capture and storage of identity tokens for security testing purposes.
- Captures
access_tokenandrefresh_tokendata from Entra ID and saves them to local files (tokens.json,tokens_refreshed.json). - Demonstrates replaying these tokens to exfiltrate data from Microsoft 365 services such as Outlook via the Graph API.
Audit Metadata