Production hardening: security fixes, code quality, 724 skills complete

- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files

skills/testing-oauth2-implementation-flaws/scripts/agent.py

@@ -8,13 +8,10 @@ OIDC ID token validation weaknesses.
 
 import json
 import sys
-import re
 import secrets
-import hashlib
-import base64
 from pathlib import Path
 from datetime import datetime
-from urllib.parse import urlparse, parse_qs, urlencode
+from urllib.parse import urlencode
 
 try:
     import requests
@@ -41,7 +38,7 @@ class OAuth2TestAgent:
         kwargs.setdefault("timeout", 10)
         kwargs.setdefault("allow_redirects", False)
         try:
-            return requests.get(url, **kwargs)
+            return requests.get(url, **kwargs, timeout=30)
         except requests.RequestException:
             return None
 
@@ -50,7 +47,7 @@ class OAuth2TestAgent:
             return None
         kwargs.setdefault("timeout", 10)
         try:
-            return requests.post(url, **kwargs)
+            return requests.post(url, **kwargs, timeout=30)
         except requests.RequestException:
             return None