ワンクリックでManusで任意のスキルを実行

$pwd:

detecting-insecure-deserialization

Name: Detecting Insecure Deserialization
Author: jeremylongshore

// Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".

Manusで実行

$ git log --oneline --stat

stars:2,267

forks:315

updated:2026年5月31日 04:18

ファイルエクスプローラー

4 ファイル

SKILL.md

readonly

name	detecting-insecure-deserialization
description	Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".
allowed-tools	["Read","Bash(python3:*)","Glob","Grep"]
disallowed-tools	["Bash(rm:)","Bash(curl:)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","static-analysis","deserialization","pentest"]

Detecting Insecure Deserialization

Overview

Insecure deserialization (CWE-502, OWASP A08:2021) is the highest- severity injection class in many language stacks because it directly maps to RCE. Pickle, Java serialization, PHP unserialize, and BinaryFormatter all execute object-construction code during deserialization. If that code includes __reduce__ / readObject / __wakeup / OnDeserialization callbacks that the attacker controls, the deserialization step IS code execution.

Most legitimate use cases have safer alternatives (JSON for data, YAML with safe-load, Protocol Buffers, Avro). The remaining cases need explicit type allow-lists and HMAC-signed payloads.

When the skill produces findings

Finding	Severity	Threshold	Affected control
Python `pickle.loads(...)`	CRITICAL	always (untrusted input)	CWE-502
Python `pickle.load(file)`	CRITICAL	always	CWE-502
Python `dill.loads`	CRITICAL	always	CWE-502
Python `yaml.load(...)` without Loader=	CRITICAL	unsafe legacy default	CWE-502
Python `yaml.unsafe_load(...)`	CRITICAL	explicit unsafe	CWE-502
Python `shelve.open(...)`	HIGH	pickle-backed; user-controllable filename	CWE-502
Java `ObjectInputStream.readObject()`	CRITICAL	always	CWE-502
PHP `unserialize($input)`	CRITICAL	non-literal input	CWE-502
.NET `BinaryFormatter.Deserialize(...)`	CRITICAL	deprecated unsafe API	CWE-502
.NET `NetDataContractSerializer`	CRITICAL	also unsafe	CWE-502
.NET `LosFormatter.Deserialize`	CRITICAL	ViewState path	CWE-502
Ruby `Marshal.load(...)`	CRITICAL	non-literal	CWE-502
Ruby `YAML.load(...)` (pre-3.1 Psych)	CRITICAL	safe in Psych 4.0+; needs version check	CWE-502
Node.js `node-serialize.unserialize`	CRITICAL	known-vulnerable lib	CWE-502
Node.js `serialize-javascript` reviver	HIGH	if used to deserialize untrusted	CWE-502

Prerequisites

Python 3.9+
Source tree on local filesystem

Instructions

Run

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py /path/to/repo

Options same as previous skills: --output, --format, --min-severity, --include-tests, --languages.

Interpret

CRITICAL across the board because these APIs grant RCE during deserialization if the input is attacker-controlled. The verification step is "can the input ever originate from untrusted source" — if yes, it's an immediate fix.

Remediation

The fix depends on the data shape:

Data is structured (JSON-shaped): switch to json.loads.
Data needs polymorphism / arbitrary types: define a strict schema (Pydantic / dataclasses / Protocol Buffers) and validate on parse.
Data must round-trip exact Python / Java / .NET objects: use HMAC-signed serialization with an explicit type allow-list.

See references/PLAYBOOK.md for per-language migrations.

Examples

Worker-queue audit

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py \
    /path/to/celery-workers --min-severity high

Celery defaults to pickle in older configurations; this finds the remaining unsafe-default callers.

CI

- name: Deserialization scan
  run: |
    python3 plugins/security/penetration-tester/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py \
        . --min-severity high

Output

JSON / JSONL / Markdown. Exit codes: 0 / 1 / 2.

Error Handling

Pickle / Marshal usage on a private cache file written by the same application is technically safe (the attacker can't influence the file contents). The scanner flags it as CRITICAL; verify by reading where the input file originates.

Resources

references/THEORY.md — Why deserialization is RCE, gadget chains, HMAC-signing pattern, schema-validation alternatives
references/PLAYBOOK.md — Per-language migrations (Python pickle → JSON / msgpack, yaml.load → yaml.safe_load, Java ObjectInputStream → JSON via Jackson with allow-list, PHP unserialize → JSON alternatives, .NET BinaryFormatter → System.Text.Json)

related-skills.json

同じリポジトリ

detecting-command-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with template literals, Ruby backticks / Kernel#system / Kernel#exec with interpolation, Go exec.Command with shell wrapping, PHP system / passthru / shell_exec / backticks with $-interpolation, Java Runtime.exec with concatenated args. Use when: pre-commit gate on code that calls out to shell utilities, audit of file-processing / archive-handling / image-conversion code, post-bug-report investigation for "we shell out to a tool." Threshold: any shell-invocation API called with a string that contains a variable interpolation, OR shell=True with anything other than a fixed literal. Trigger with: "scan command injection", "shell=True audit", "find exec calls", "check os.system".

2026-05-312.3k

detecting-eval-exec-usage.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval / instance_eval / class_eval, Java ScriptEngine, PHP eval / assert($str), .NET Activator.CreateInstance / Reflection.Emit with dynamic input. Use when: pre-commit gate on any application that parses user-uploaded code (rule engines, formula evaluators, plugin systems), or post-bug-report when "we run user-supplied expressions." Threshold: any call to eval / exec / Function / similar where the argument is not a string literal. Trigger with: "scan eval", "find dynamic exec", "audit eval calls", "code injection patterns".

2026-05-312.3k

detecting-sql-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".

2026-05-312.3k

detecting-weak-cryptography.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".

2026-05-312.3k

scanning-for-hardcoded-secrets.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing secrets, generic base64-encoded passwords, RSA / SSH private keys, and high-entropy string literals that pattern-match common credential shapes. Use when: pre-commit gate before pushing a feature branch, audit before SOC2, post-incident scan after a leak, or inheriting a codebase you didn't write. Threshold: any source file contains a string that matches a canonical credential regex (AWS AKIA prefix, GitHub ghp_ prefix, etc.) OR a string with Shannon entropy above 4.5 in a field context (key=, token:, secret=). Trigger with: "scan secrets", "credential scan", "find hardcoded keys", "leak check".

2026-05-312.3k

detecting-directory-listing.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Probe a target for directories that return auto-generated index listings instead of denying or serving a specific file — exposes the full file tree under any reachable directory, including files the application never linked to. Use when: post-deploy verification on a static-asset host, security audit before SOC2, or following up on a finding from skill #6 (exposed-files) where a backup-file path returned 200 with HTML body instead of the expected file content (suggests autoindex serving a directory listing). Threshold: any directory-shaped path returns 200 with HTML body matching the framework-specific autoindex fingerprint (nginx fancyindex, Apache mod_autoindex Index of/, Caddy browse, Lighttpd mod_dirlisting, etc.). Trigger with: "directory listing check", "autoindex detection", "open directory scan".

2026-05-312.3k

package.json

"author": "jeremylongshore"

"repository": "jeremylongshore/claude-code-plugins-plus-skills"

GitHub リポジトリを開く Creator のリポジトリを見る

$ install --global

$ download --local

Manusで実行

$ useful --forSOC

情報セキュリティアナリストコンピュータ・数学職15-1212L4

name	detecting-insecure-deserialization
description	Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".
allowed-tools	["Read","Bash(python3:*)","Glob","Grep"]
disallowed-tools	["Bash(rm:)","Bash(curl:)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","static-analysis","deserialization","pentest"]

Detecting Insecure Deserialization

Overview

Most legitimate use cases have safer alternatives (JSON for data, YAML with safe-load, Protocol Buffers, Avro). The remaining cases need explicit type allow-lists and HMAC-signed payloads.

When the skill produces findings

Finding	Severity	Threshold	Affected control
Python `pickle.loads(...)`	CRITICAL	always (untrusted input)	CWE-502
Python `pickle.load(file)`	CRITICAL	always	CWE-502
Python `dill.loads`	CRITICAL	always	CWE-502
Python `yaml.load(...)` without Loader=	CRITICAL	unsafe legacy default	CWE-502
Python `yaml.unsafe_load(...)`	CRITICAL	explicit unsafe	CWE-502
Python `shelve.open(...)`	HIGH	pickle-backed; user-controllable filename	CWE-502
Java `ObjectInputStream.readObject()`	CRITICAL	always	CWE-502
PHP `unserialize($input)`	CRITICAL	non-literal input	CWE-502
.NET `BinaryFormatter.Deserialize(...)`	CRITICAL	deprecated unsafe API	CWE-502
.NET `NetDataContractSerializer`	CRITICAL	also unsafe	CWE-502
.NET `LosFormatter.Deserialize`	CRITICAL	ViewState path	CWE-502
Ruby `Marshal.load(...)`	CRITICAL	non-literal	CWE-502
Ruby `YAML.load(...)` (pre-3.1 Psych)	CRITICAL	safe in Psych 4.0+; needs version check	CWE-502
Node.js `node-serialize.unserialize`	CRITICAL	known-vulnerable lib	CWE-502
Node.js `serialize-javascript` reviver	HIGH	if used to deserialize untrusted	CWE-502

Prerequisites

Python 3.9+
Source tree on local filesystem

Instructions

Run

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py /path/to/repo

Options same as previous skills: --output, --format, --min-severity, --include-tests, --languages.

Interpret

Remediation

The fix depends on the data shape:

Data is structured (JSON-shaped): switch to json.loads.
Data needs polymorphism / arbitrary types: define a strict schema (Pydantic / dataclasses / Protocol Buffers) and validate on parse.
Data must round-trip exact Python / Java / .NET objects: use HMAC-signed serialization with an explicit type allow-list.

See references/PLAYBOOK.md for per-language migrations.

Examples

Worker-queue audit

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py \
    /path/to/celery-workers --min-severity high

Celery defaults to pickle in older configurations; this finds the remaining unsafe-default callers.

CI

- name: Deserialization scan
  run: |
    python3 plugins/security/penetration-tester/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py \
        . --min-severity high

Output

JSON / JSONL / Markdown. Exit codes: 0 / 1 / 2.

Error Handling

Resources

references/THEORY.md — Why deserialization is RCE, gadget chains, HMAC-signing pattern, schema-validation alternatives
references/PLAYBOOK.md — Per-language migrations (Python pickle → JSON / msgpack, yaml.load → yaml.safe_load, Java ObjectInputStream → JSON via Jackson with allow-list, PHP unserialize → JSON alternatives, .NET BinaryFormatter → System.Text.Json)

detecting-insecure-deserialization

Detecting Insecure Deserialization

Overview

When the skill produces findings

Prerequisites

Instructions

Run

Interpret

Remediation

Examples

Worker-queue audit

CI

Output

Error Handling

Resources

このリポジトリの他の Skills

Detecting Insecure Deserialization

Overview

When the skill produces findings

Prerequisites

Instructions

Run

Interpret

Remediation

Examples

Worker-queue audit

CI

Output

Error Handling

Resources

このリポジトリの他の Skills