testing-for-json-web-token-vulnerabilities

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs forging and sending JWTs with secret values embedded verbatim (e.g., curl -H "Authorization: Bearer <FORGED_TOKEN>", using -p "discovered_secret", listing weak secrets, and showing discovered secret "secret123"), so the agent would need to handle and output secrets directly.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs include attacker-controlled hosts serving keys/certs and JWKS (attacker.com) alongside an exploitation GitHub repo (github.com/ticarpi/jwt_tool.git) used to craft forged tokens—so while some links are legitimate target endpoints, the attacker-controlled URLs and the toolkit indicate a high risk of malicious use or distribution of exploit scripts.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content is explicitly an offensive JWT exploitation guide (with tooling and a runnable agent) that instructs and automates authentication bypass, token forging, secret brute‑forcing, JKU/SSRF and kid SQLi/path‑traversal attacks (including instructions to host attacker JWKS and exfiltrate signing keys), so it contains clear, deliberate malicious techniques that can be used to steal credentials and gain unauthorized access if used without authorization.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow (SKILL.md Steps 3 and 5) explicitly instructs fetching public keys/JWKS and pointing jku/x5u to attacker-controlled URLs (e.g., curl http://target.com/.well-known/jwks.json and http://attacker.com/.well-known/jwks.json), and the agent code (scripts/agent.py) issues HTTP requests to the target URL and uses fetched key material to forge or test tokens, so untrusted third‑party content is ingested and can materially change actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's workflow explicitly instructs fetching and running remote code (git clone https://github.com/ticarpi/jwt_tool.git followed by python3 jwt_tool.py), and jwt_tool is listed as a prerequisite and used throughout the runtime workflow, so external content would be fetched and executed during operation.