attacking-oauth-with-device-code-phishing

Fail

Audited by Snyk on Jun 22, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). This prompt explicitly instructs capturing access_tokens/refresh_tokens and client_secrets and embedding them verbatim into subsequent commands and scripts (curl, roadtx, TokenTactics), which requires the LLM to output secret values directly and creates a high exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.90). Although many links are legitimate Microsoft, standards, and reference pages, the list also includes GitHub repositories (TokenTactics, ROADtools, AADInternals) and an attacker callback used to host/execute offensive tooling plus explicit instructions for device-code/consent phishing — making these sources high-risk for distributing malicious scripts and post‑exploitation tools.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). This content is an explicit, operational playbook for OAuth device‑code phishing and illicit-consent attacks that instructs capture and reuse of access/refresh tokens to access Microsoft 365 resources and establish persistent tenant access—i.e., deliberate credential theft, token exfiltration, and backdoor/persistence techniques.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Issues (4)

W007
HIGH

Insecure credential handling detected in skill instructions.

E005
CRITICAL

Suspicious download URL detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 22, 2026, 10:11 PM
Issues
4
Security Audit — snyk — attacking-oauth-with-device-code-phishing