I know this question is not anything new, possibly already been discuss all over the internet.

I'm new to it but after some study, I agree that it is safe as anonymous could sniff the Token but unable to append anything on it. I'm planning to store JWT in HTML5Storage, and decode the payload for some in-sensitive information: DisplayName, email_address, and role_info and etc.

Here is my question, could anonymous sniff my JWT Token and act on-behalf of me? If that is possible, how can I avoid that?

In short, JWT by itself is not safe it's just clear text. JWT in basic terms is a standard protocol for how information is defined otherwise known as claims passed between to parties. In combination with JWS (signature) and JWE (encyption) will make it secure. The over arching topic for this is JOSE - Javascript Object Signing and Encryption. Aside from reading the RFC themselves which you should refer to as well there are ton of information online without stating the obvious nor insulting your search abilities. Check out http://jose.readthedocs.io/en/latest/ (includes reference links to RFCs)

So to answer your question if signed and encrypted with industry secure standards in flight (over the wire) and at rest (ie: database) yes it's secure.

In terms of spoofing as you need to pre-cautions in areas of session jacking and/or token jacking and prevention against things like rainbow tables.

JOSE really is just a standard no matter what standard, what you are really asking is about best practices for security measures, you should refer to OWASP as well https://www.owasp.org/

Does that help clarify your question?