Jwt Toolkit
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a local JWT decoder with no network or persistence, but live tokens are sensitive and its “valid” status only reflects expiry, not full cryptographic verification.
Safe to install for local JWT inspection, but do not paste or log live tokens casually, and do not rely on this tool alone to prove a token is cryptographically valid.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a real token is pasted, read from a file, or included in a command, its claims may be displayed and the token itself should be protected like a credential.
Bearer JWTs are often live authentication or session tokens. Handling them is central to this skill and no exfiltration is shown, but users should treat any supplied token and decoded claims as sensitive.
Use when debugging auth tokens, checking if a JWT is expired, inspecting JWT claims, decoding Bearer tokens
Only inspect tokens you are authorized to handle, avoid sharing command/output logs containing tokens or claims, and prefer safer input handling for live tokens when possible.
A user could over-interpret “VALID” as meaning the JWT is fully trustworthy when it may only mean the exp claim has not passed.
The displayed VALID status is based on the expiry check, while the script does not take signing keys or perform cryptographic signature, issuer, or audience validation.
lines.append(f"Status: VALID — expires in {expiry['expires_in']}")Treat this tool as a decoder and expiry inspector; use a proper JWT validation library or identity-provider tooling when signature, issuer, audience, and key checks are required.