Skill Trust Index / detail

SnailSploit/Claude-Red/offensive-oauth

62
caution analyzed 2h ago
WHY THIS SCORE

Claims

The skill claims to provide a comprehensive methodology and checklist for testing OAuth 2.0 security implementations, covering attacks like redirect_uri bypass, CSRF, state parameter abuse, PKCE bypass, and token leakage. It acts as a guide for an AI agent to systematically evaluate OAuth flows.

Actual behavior

The skill is primarily a **static knowledge base** (manifest). It defines trigger phrases and lists detailed technical criteria (e.g., 'exact match', 'PKCE mandatory'). It does not contain executable scripts or code that performs active network requests, parses live tokens, or executes external commands. It instructs the LLM to 'consider applicability' and 'track items', which are internal state management actions within the LLM's context window.

Findings

medium secret_access — references credentials / private keys / secrets (legitimate for some tools; see behavior)
s (DPoP, mTLS) - `private_key_jwt` or mTLS client
medium secret_access — references credentials / private keys / secrets (legitimate for some tools; see behavior)
Authentication**: `private_key_jwt` or MTLS requir
medium raw_ip_net — connects to a raw IP address
o internal service (http://169.254.169.254) - Authorization

Attestation

signer 0xB62e1c338a83D3a6621f9127eEa5B000caCfCd01
digest 0x6adc47e3378c0eb6b159b49adb5b59135af28bf3f455fe89a32782da1dbf6b1a
verify: GET /skill/verify?digest=…&signature=… · scheme eip191-sha256

← Back to the index