jwt-attack-methodology
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Provides specific command-line instructions for security tools such as hashcat, john the ripper, and jwt_tool to perform offline brute-forcing of HMAC-based JWT secrets.
- [COMMAND_EXECUTION]: Includes Python scripts within the reference documentation for automating security analysis tasks, including public key extraction from JWKS endpoints and the generation of forged tokens.
- [EXTERNAL_DOWNLOADS]: Recommends downloading and installing third-party security tools like jwt-tool and c-jwt-cracker from public GitHub repositories for use in testing.
- [PROMPT_INJECTION]: The skill ingests untrusted data from JWT tokens obtained via HTTP responses (Ingestion Point: SKILL.md). The methodology lacks explicit boundary markers or data sanitization before processing, which represents an attack surface for indirect prompt injection (Sanitization: Absent; Capability: http_request, python3).
Audit Metadata