deserialization-insecure
Fail
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides comprehensive instructions, templates, and specific gadget chains for achieving remote code execution via insecure deserialization across multiple frameworks and languages including Java, PHP, Python, and .NET.
- [COMMAND_EXECUTION]: Includes numerous shell command examples for running tools like ysoserial, phpggc, and ysoserial.net to generate and deploy malicious serialized objects.
- [DATA_EXFILTRATION]: References the use of DNS exfiltration services for vulnerability verification, specifically citing the domain xxx.dnslog.cn (flagged as malicious by automated scanners) and burpcollaborator.net for OOB verification.
- [CREDENTIALS_UNSAFE]: The file SKILL.md contains multiple hardcoded default AES keys for Apache Shiro (e.g., kPH+bIxk5D2deZiIxcaaaA==), which are commonly used in automated exploitation of CVE-2016-4437.
- [EXTERNAL_DOWNLOADS]: Mentions the requirement for downloading external exploitation binaries and scripts such as ysoserial.jar, marshalsec.jar, and ysoserial.net from third-party sources.
Recommendations
- CRITICAL: 1 infected file(s) detected - DO NOT USE
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata