skills/mukul975/anthropic-cybersecurity-skills/exploiting-insecure-deserialization/Gen Agent Trust Hub
exploiting-insecure-deserialization
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides detailed instructions and command-line examples for generating and delivering payloads that achieve Remote Code Execution (RCE) via insecure deserialization across multiple programming environments including Java, PHP, and .NET.
- [REMOTE_CODE_EXECUTION]: The Python agent script (scripts/agent.py) includes a function 'test_python_pickle' that dynamically constructs malicious pickle objects using the 'reduce' magic method combined with 'os.system' to execute shell commands on target systems.
- [DATA_EXFILTRATION]: Documentation in SKILL.md explicitly shows how to exfiltrate sensitive system data, such as the output of the 'whoami' command, to an external server using out-of-band (OOB) callback techniques.
- [EXTERNAL_DOWNLOADS]: The skill instructs users to download and execute multiple third-party exploitation frameworks from GitHub, specifically 'ysoserial', 'ysoserial.net', and 'PHPGGC', which are used to generate malicious payloads.
- [COMMAND_EXECUTION]: The provided agent script generates payloads that utilize shell command execution (via 'os.system') to perform connectivity tests and command confirmation on target machines.
Recommendations
- AI detected serious security threats
Audit Metadata