Claims
The skill claims to provide a comprehensive methodology and checklist for testing OAuth 2.0 security implementations, covering attacks like redirect_uri bypass, CSRF, state parameter abuse, PKCE bypass, and token leakage. It acts as a guide for an AI agent to systematically evaluate OAuth flows.
Actual behavior
The skill is primarily a **static knowledge base** (manifest). It defines trigger phrases and lists detailed technical criteria (e.g., 'exact match', 'PKCE mandatory'). It does not contain executable scripts or code that performs active network requests, parses live tokens, or executes external commands. It instructs the LLM to 'consider applicability' and 'track items', which are internal state management actions within the LLM's context window.
medium secret_access — references credentials / private keys / secrets (legitimate for some tools; see behavior)
s (DPoP, mTLS)
- `private_key_jwt` or mTLS client
medium secret_access — references credentials / private keys / secrets (legitimate for some tools; see behavior)
Authentication**: `private_key_jwt` or MTLS requir