sast-jwt

Identifies insecure JSON Web Token (JWT) implementations by analyzing token lifecycle and detecting vulnerabilities in verification processes.

Install this skill

87/100

Security score

The sast-jwt skill was audited on Jun 13, 2026 and we found 5 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

low line 168

Access to .env file

SourceSKILL.md

168	const SECRET = process.env.JWT_SECRET;

medium line 41

Base64 decode operation

SourceSKILL.md

41	- Manual base64 decode of the payload with no signature check

medium line 383

Base64 decode operation

SourceSKILL.md

383	> - Manual base64-decode of the payload without any signature check is always vulnerable

low line 101

External URL reference

SourceSKILL.md

101	issuer="https://myapp.example.com",

low line 115

External URL reference

SourceSKILL.md

115	ALLOWED_JWKS_URLS = {"https://accounts.google.com/.well-known/jwks.json"}

Scanned on Jun 13, 2026

View Security Dashboard

Installation guide →

GitHub Stars 661

Rate this skill

Categorydevelopment

UpdatedJune 15, 2026

openclaw backend security-engineer backend-developer devops-sre development

utkusen/sast-skills