📦

Historique des audits

frontend-api-client-with-jwt - 6 audits

Version de l’audit 6

Dernier Risque moyen

Jun 28, 2026, 03:53 AM

The static findings are documentation terms in SKILL.md, not executable code, command execution, scanning, or exfiltration behavior. One semantic concern remains: the skill lists localStorage as a JWT storage option without enough warning about XSS exposure, so publication should include a security warning.

1
Fichiers analysés
171
Lignes analysées
3
Review items
0
False positives ignored

Confirmed security concerns (3)

Moyen
Security-Sensitive Token Storage Guidance
Static verdict: TRUE POSITIVE as a guidance risk, not as executable malware. The skill lists browser storage options for JWT tokens, including localStorage, which can expose bearer tokens to XSS if used without strong safeguards.
The line explicitly names token storage mechanisms in JWT guidance. The file is prose rather than code, so the risk is insecure implementation advice rather than direct credential access.
Faible
False Positive: JWT and HTTP Status Terminology
Static verdict: FALSE POSITIVE. The weak cryptographic algorithm detections point to a JWT description and an HTTP 200-299 status range, with no cryptographic API, algorithm selection, or hashing implementation present.
Both locations are plain documentation text. I found no code path, crypto function, or recommendation to use a weak algorithm.
Faible
False Positive: Reconnaissance Terms in API Guidance
Static verdict: FALSE POSITIVE. The system and network reconnaissance detections are ordinary API-client documentation about valid tokens, HTTP 401 handling, context access, error messages, refresh performance, and token tests.
The referenced lines contain no shell commands, port scanning, host discovery, probing loops, or data collection behavior. They are conceptual guidance for API request handling and tests.
Audité par: codex

Version de l’audit 5

Sûr

Jan 16, 2026, 03:45 PM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers. All static findings are false positives from keyword detection in documentation - there is no code to execute, no network requests to make, and no credentials to exfiltrate.

1
Fichiers analysés
171
Lignes analysées
0
Review items
0
False positives ignored
Aucun problème de sécurité trouvé
Audité par: claude

Version de l’audit 4

Sûr

Jan 16, 2026, 03:45 PM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers. All static findings are false positives from keyword detection in documentation - there is no code to execute, no network requests to make, and no credentials to exfiltrate.

1
Fichiers analysés
171
Lignes analysées
0
Review items
0
False positives ignored
Aucun problème de sécurité trouvé
Audité par: claude

Version de l’audit 3

Sûr

Jan 10, 2026, 09:50 AM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers.

1
Fichiers analysés
171
Lignes analysées
0
Review items
0
False positives ignored
Aucun problème de sécurité trouvé
Audité par: claude

Version de l’audit 2

Sûr

Jan 10, 2026, 09:50 AM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers.

1
Fichiers analysés
171
Lignes analysées
0
Review items
0
False positives ignored
Aucun problème de sécurité trouvé
Audité par: claude

Version de l’audit 1

Sûr

Jan 10, 2026, 09:50 AM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers.

1
Fichiers analysés
171
Lignes analysées
0
Review items
0
False positives ignored
Aucun problème de sécurité trouvé
Audité par: claude