[NEW SKILL] service-token-origin-allowlist-review

[JeremyZeng77]

Proposed Skill

Skill name: service-token-origin-allowlist-review
Category: secrets
Severity: medium

What It Detects

Service or bot tokens can be abused from unintended runtime origins when origin allowlists, network assertions, and token use checks are weaker than operators believe.

Why This Skill Is Needed

Teams often rely on origin restrictions to contain machine credentials, but those restrictions are easy to overestimate. A dedicated skill would help reviewers inspect whether token origin constraints are real and current.

Detection Approach

Trace token issuance, origin binding, runtime use, network assertion, rotation, and exception handling. Review stale allowlists, shared infrastructure, NAT ambiguity, and whether token use remains authorized after origin changes.

Languages / Frameworks

• Machine token systems
• Origin allowlist and workload identity controls

Example Vulnerable Code

A token believed to be origin-restricted remains usable from a broader or changed environment because enforcement relies on weak or stale origin assumptions.

Example Remediation

Bind service tokens to strong workload identity where possible, keep origin restrictions explicit and current, and treat stale or ambiguous origin state as a reason to fail closed for high-risk uses.

References

• OWASP ASVS
• NIST SP 800-53
• Machine credential origin control guidance

Estimated Complexity

• Standard ($200) — Well-known vuln class, single language, straightforward detection
• Intermediate ($350) — Multiple languages/frameworks, nuanced detection logic
• Complex ($500) — Novel detection approach, comprehensive coverage, low FP rate

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal https://paypal.me/Jeremytsangchina

---

Wait for maintainer approval before starting implementation. We'll confirm scope and expected bounty tier within 48 hours.