Skills
skills/wgpsec/aboutsecurity/java-deserialization-methodology/Gen Agent Trust Hub

java-deserialization-methodology

Fail

Audited by Gen Agent Trust Hub on Apr 22, 2026

Risk Level: CRITICALCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill contains a hardcoded default AES encryption key for Apache Shiro (kPH+bIxk5D2deZiIxcaaaA==), which is frequently exploited in automated attacks against misconfigured environments.
  • [COMMAND_EXECUTION]: Provides explicit shell command patterns intended to be executed on target systems via deserialization vulnerabilities (e.g., cat /flag.txt, bash -c {echo,Y2F0IC9mbGFnLnR4dA==}|{base64,-d}|bash).
  • [REMOTE_CODE_EXECUTION]: Offers step-by-step instructions for achieving RCE through various vectors including JNDI injection (LDAP/RMI), Fastjson/Jackson exploitation, and multiple Java gadget chains.
  • [EXTERNAL_DOWNLOADS]: References and encourages the use of external security tools and scripts such as ysoserial.jar, JNDIExploit.jar, shiro_exploit.py, and weblogic_t3_exploit.py for exploitation purposes.
Recommendations
  • CRITICAL: 1 infected file(s) detected - DO NOT USE
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Apr 22, 2026, 07:57 AM