JWT & Auth Auditor A developer pastes a JWT into a debug log. The logger ships it to Datadog. An attacker finds it in the logs 6 months later. The token never expires. This skill decodes JWTs without verifying them (which is the point — you need to inspect them even when you don't have the secret), checks their claims against security best practices, scans your codebase for insecure token handling, and finds the OAuth scopes that give more access than necessary. Zero external API — all analysis runs locally. Works with any JWT/OAuth provider. --- Trigger Phrases - "JWT audit", "token security…