📦

审计历史

frontend-api-client-with-jwt - 6 审计

审计版本 6

最新 中风险

Jun 28, 2026, 03:53 AM

The static findings are documentation terms in SKILL.md, not executable code, command execution, scanning, or exfiltration behavior. One semantic concern remains: the skill lists localStorage as a JWT storage option without enough warning about XSS exposure, so publication should include a security warning.

1
已扫描文件
171
分析行数
3
复核项
0
已忽略误报

已确认安全问题 (3)

Security-Sensitive Token Storage Guidance
Static verdict: TRUE POSITIVE as a guidance risk, not as executable malware. The skill lists browser storage options for JWT tokens, including localStorage, which can expose bearer tokens to XSS if used without strong safeguards.
The line explicitly names token storage mechanisms in JWT guidance. The file is prose rather than code, so the risk is insecure implementation advice rather than direct credential access.
False Positive: JWT and HTTP Status Terminology
Static verdict: FALSE POSITIVE. The weak cryptographic algorithm detections point to a JWT description and an HTTP 200-299 status range, with no cryptographic API, algorithm selection, or hashing implementation present.
Both locations are plain documentation text. I found no code path, crypto function, or recommendation to use a weak algorithm.
False Positive: Reconnaissance Terms in API Guidance
Static verdict: FALSE POSITIVE. The system and network reconnaissance detections are ordinary API-client documentation about valid tokens, HTTP 401 handling, context access, error messages, refresh performance, and token tests.
The referenced lines contain no shell commands, port scanning, host discovery, probing loops, or data collection behavior. They are conceptual guidance for API request handling and tests.
审计者: codex

审计版本 5

安全

Jan 16, 2026, 03:45 PM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers. All static findings are false positives from keyword detection in documentation - there is no code to execute, no network requests to make, and no credentials to exfiltrate.

1
已扫描文件
171
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 4

安全

Jan 16, 2026, 03:45 PM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers. All static findings are false positives from keyword detection in documentation - there is no code to execute, no network requests to make, and no credentials to exfiltrate.

1
已扫描文件
171
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 3

安全

Jan 10, 2026, 09:50 AM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers.

1
已扫描文件
171
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 2

安全

Jan 10, 2026, 09:50 AM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers.

1
已扫描文件
171
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 1

安全

Jan 10, 2026, 09:50 AM

This skill contains only documentation describing JWT API client patterns for Next.js. No executable code, scripts, or network capabilities are present. Purely a conceptual guide for developers.

1
已扫描文件
171
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude