jwt-inspectorlisted

Decode and security-audit a JSON Web Token — flag alg=none, missing/excessive expiry, symmetric-alg confusion risk, missing claims — and attempt an offline HMAC secret crack against a wordlist to detect weak signing keys. Use when the user asks to "decode this JWT", "is this token secure?", "audit a JWT", or "check if this token uses a weak secret".
NovaCode37/claude-security-skills · ★ 8 · AI & Automation · score 74

Install: claude install-skill NovaCode37/claude-security-skills

# JWT Inspector Decode and audit JSON Web Tokens with **no third-party dependencies**. It splits the token, decodes header + payload, evaluates them against a set of security checks, and (for HMAC tokens) tries a fast offline crack of the signing secret against a wordlist. ## When to use this skill - "Decode / inspect this JWT." - "Is this token configured securely?" - "Does this JWT use a weak/guessable secret?" - Auditing auth tokens during a security review. ## Checks performed - **alg=none** (critical) — unsigned, forgeable token. - **Symmetric alg (HS*)** — HMAC verification key == signing secret; HS/RS confusion and brute-force risk. - **Missing `exp`** / token never expires; **excessively long** lifetime. - **`iat` in the future**, missing `nbf`, missing `iss`/`aud`/`sub`. - **Weak HMAC secret** (critical) — cracked from a built-in or supplied wordlist. ## How to run it ```bash # Decode + audit python skills/jwt-inspector/inspector.py "<token>" # Read token from stdin echo "<token>" | python skills/jwt-inspector/inspector.py - # Try cracking the HMAC secret with a custom wordlist python skills/jwt-inspector/inspector.py "<token>" --secret-list rockyou.txt # JSON output python skills/jwt-inspector/inspector.py "<token>" --json ``` **Exit codes:** `0` no high-severity issues · `1` high/critical issue found · `2` malformed input. ## Recommended workflow for Claude 1. Run the inspector and read the decoded payload to understand the token. 2. Report findings