Express Oauth2 Jwt Bearer

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Auth0 setup helper for protecting Express APIs, with sensitive steps disclosed and user-controlled.

Before installing, confirm you are comfortable with the optional bootstrap creating an Auth0 API in your active tenant and writing a .env file in the target project. Treat any M2M client_secret used for test tokens as confidential: keep it server-side, avoid shell history/log exposure where possible, and never commit it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The example shows a real token request containing a `client_secret` sent to an external Auth0 endpoint, but it does not immediately warn readers that this secret is highly sensitive and must not be hardcoded, committed, logged, or used from untrusted environments such as frontend code. In documentation, users often copy-paste examples directly, so omission of handling guidance can lead to credential leakage and unauthorized token minting if the secret is exposed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal