📦

Audit History

frontend-api-client-with-jwt - 6 audits

Audit version 6

Latest Medium Risk

Jun 28, 2026, 03:53 AM

The static findings are documentation terms in SKILL.md, not executable code, command execution, scanning, or exfiltration behavior. One semantic concern remains: the skill lists localStorage as a JWT storage option without enough warning about XSS exposure, so publication should include a security warning.

1
Files scanned
171
Lines analyzed
3
findings
codex
Audited by
Medium Risk Issues (1)
Security-Sensitive Token Storage Guidance
Static verdict: TRUE POSITIVE as a guidance risk, not as executable malware. The skill lists browser storage options for JWT tokens, including localStorage, which can expose bearer tokens to XSS if used without strong safeguards.
Low Risk Issues (2)
False Positive: JWT and HTTP Status Terminology
Static verdict: FALSE POSITIVE. The weak cryptographic algorithm detections point to a JWT description and an HTTP 200-299 status range, with no cryptographic API, algorithm selection, or hashing implementation present.
False Positive: Reconnaissance Terms in API Guidance
Static verdict: FALSE POSITIVE. The system and network reconnaissance detections are ordinary API-client documentation about valid tokens, HTTP 401 handling, context access, error messages, refresh performance, and token tests.

Audit version 5

Safe

Jan 16, 2026, 03:45 PM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers. All static findings are false positives from keyword detection in documentation - there is no code to execute, no network requests to make, and no credentials to exfiltrate.

1
Files scanned
171
Lines analyzed
0
findings
claude
Audited by
No security issues found

Audit version 4

Safe

Jan 16, 2026, 03:45 PM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers. All static findings are false positives from keyword detection in documentation - there is no code to execute, no network requests to make, and no credentials to exfiltrate.

1
Files scanned
171
Lines analyzed
0
findings
claude
Audited by
No security issues found

Audit version 3

Safe

Jan 10, 2026, 09:50 AM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers.

1
Files scanned
171
Lines analyzed
0
findings
claude
Audited by
No security issues found

Audit version 2

Safe

Jan 10, 2026, 09:50 AM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers.

1
Files scanned
171
Lines analyzed
0
findings
claude
Audited by
No security issues found

Audit version 1

Safe

Jan 10, 2026, 09:50 AM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers.

1
Files scanned
171
Lines analyzed
0
findings
claude
Audited by
No security issues found