offensive-jwt

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The presence of attacker-controlled endpoints (e.g., attacker.com/jwks.json and attacker.com/cert.pem) explicitly instructed as remote key/certificate sources is a strong high-risk indicator—these untrusted hosts can deliver malicious payloads or enable server-side/SSRF/JWKS poisoning attacks, while the other URLs (API endpoints and a legitimate GitHub repo) do not mitigate that risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). High-risk: the content explicitly documents techniques for credential theft and unauthorized access — including directing servers to attacker-controlled JWKS/JKU endpoints, JWKS cache poisoning and header injection, mobile token extraction, HMAC brute‑force and timing attacks — all of which enable data exfiltration and authentication bypass.