Back to skill

Security audit

Jwtdecode

Security checks across malware telemetry and agentic risk

Overview

This skill does not appear to run harmful actions, but it is misleadingly packaged as JWT decode guidance while mostly printing generic template documentation.

Review this before installing if you need trustworthy JWT or security guidance. It appears mechanically safe as a local text-printing script, but its content is not a reliable Jwtdecode/JWT reference until the publisher replaces the generic template text with accurate, domain-specific material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is presented as a Jwtdecode-specific reference tool, but nearly all content is generic placeholder text unrelated to JWT decoding. In a security/devtools context, misleading documentation can cause users or agents to rely on incorrect guidance, omit JWT-specific validation and security practices, and make unsafe implementation decisions.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The help text markets the tool as a Jwtdecode reference resource even though the embedded commands provide generic devtools advice. This misrepresentation increases the chance that users will trust the tool for JWT-related security decisions despite it lacking relevant, accurate content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.