java-serialization-audit
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a legitimate security tool designed for Java source code auditing. It focuses on identifying known high-risk vulnerability patterns (Deserialization, XXE, SSTI) and providing mitigation guidance.
- [REMOTE_CODE_EXECUTION]: While the skill contains code snippets that demonstrate Remote Code Execution (RCE) vulnerabilities (e.g., Velocity and FreeMarker payloads), these are provided strictly for educational and auditing purposes. The skill does not execute these payloads or attempt to facilitate unauthorized access.
- [DATA_EXFILTRATION]: No data exfiltration or sensitive information harvesting patterns were detected. Network-related patterns mentioned (like OOB XXE or SSRF) are described as potential vulnerabilities to check for in the code being audited.
- [PROMPT_INJECTION]: No prompt injection or instruction override patterns were found. The instructions remain within the scope of a technical security audit guide.
- [EXTERNAL_DOWNLOADS]: The skill refers to standard security tools (like ysoserial) and library dependencies (like commons-collections) but does not perform any unauthorized remote downloads or execution.
Audit Metadata