Run any Skill in Manus with one click

$pwd:

detecting-insecure-deserialization

Name: Detecting Insecure Deserialization
Author: jeremylongshore

// Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".

Run Skill in Manus

$ git log --oneline --stat

stars:2,267

forks:315

updated:May 31, 2026 at 04:18

File Explorer

4 files

SKILL.md

readonly

name	detecting-insecure-deserialization
description	Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".
allowed-tools	["Read","Bash(python3:*)","Glob","Grep"]
disallowed-tools	["Bash(rm:)","Bash(curl:)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","static-analysis","deserialization","pentest"]

Detecting Insecure Deserialization

Overview

Insecure deserialization (CWE-502, OWASP A08:2021) is the highest- severity injection class in many language stacks because it directly maps to RCE. Pickle, Java serialization, PHP unserialize, and BinaryFormatter all execute object-construction code during deserialization. If that code includes __reduce__ / readObject / __wakeup / OnDeserialization callbacks that the attacker controls, the deserialization step IS code execution.

Most legitimate use cases have safer alternatives (JSON for data, YAML with safe-load, Protocol Buffers, Avro). The remaining cases need explicit type allow-lists and HMAC-signed payloads.

When the skill produces findings

Finding	Severity	Threshold	Affected control
Python `pickle.loads(...)`	CRITICAL	always (untrusted input)	CWE-502
Python `pickle.load(file)`	CRITICAL	always	CWE-502
Python `dill.loads`	CRITICAL	always	CWE-502
Python `yaml.load(...)` without Loader=	CRITICAL	unsafe legacy default	CWE-502
Python `yaml.unsafe_load(...)`	CRITICAL	explicit unsafe	CWE-502
Python `shelve.open(...)`	HIGH	pickle-backed; user-controllable filename	CWE-502
Java `ObjectInputStream.readObject()`	CRITICAL	always	CWE-502
PHP `unserialize($input)`	CRITICAL	non-literal input	CWE-502
.NET `BinaryFormatter.Deserialize(...)`	CRITICAL	deprecated unsafe API	CWE-502
.NET `NetDataContractSerializer`	CRITICAL	also unsafe	CWE-502
.NET `LosFormatter.Deserialize`	CRITICAL	ViewState path	CWE-502
Ruby `Marshal.load(...)`	CRITICAL	non-literal	CWE-502
Ruby `YAML.load(...)` (pre-3.1 Psych)	CRITICAL	safe in Psych 4.0+; needs version check	CWE-502
Node.js `node-serialize.unserialize`	CRITICAL	known-vulnerable lib	CWE-502
Node.js `serialize-javascript` reviver	HIGH	if used to deserialize untrusted	CWE-502

Prerequisites

Python 3.9+
Source tree on local filesystem

Instructions

Run

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py /path/to/repo

Options same as previous skills: --output, --format, --min-severity, --include-tests, --languages.

Interpret

CRITICAL across the board because these APIs grant RCE during deserialization if the input is attacker-controlled. The verification step is "can the input ever originate from untrusted source" — if yes, it's an immediate fix.

Remediation

The fix depends on the data shape:

Data is structured (JSON-shaped): switch to json.loads.
Data needs polymorphism / arbitrary types: define a strict schema (Pydantic / dataclasses / Protocol Buffers) and validate on parse.
Data must round-trip exact Python / Java / .NET objects: use HMAC-signed serialization with an explicit type allow-list.

See references/PLAYBOOK.md for per-language migrations.

Examples

Worker-queue audit

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py \
    /path/to/celery-workers --min-severity high

Celery defaults to pickle in older configurations; this finds the remaining unsafe-default callers.

CI

- name: Deserialization scan
  run: |
    python3 plugins/security/penetration-tester/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py \
        . --min-severity high

Output

JSON / JSONL / Markdown. Exit codes: 0 / 1 / 2.

Error Handling

Pickle / Marshal usage on a private cache file written by the same application is technically safe (the attacker can't influence the file contents). The scanner flags it as CRITICAL; verify by reading where the input file originates.

Resources

references/THEORY.md — Why deserialization is RCE, gadget chains, HMAC-signing pattern, schema-validation alternatives
references/PLAYBOOK.md — Per-language migrations (Python pickle → JSON / msgpack, yaml.load → yaml.safe_load, Java ObjectInputStream → JSON via Jackson with allow-list, PHP unserialize → JSON alternatives, .NET BinaryFormatter → System.Text.Json)

related-skills.json

same repository

detecting-command-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with template literals, Ruby backticks / Kernel#system / Kernel#exec with interpolation, Go exec.Command with shell wrapping, PHP system / passthru / shell_exec / backticks with $-interpolation, Java Runtime.exec with concatenated args. Use when: pre-commit gate on code that calls out to shell utilities, audit of file-processing / archive-handling / image-conversion code, post-bug-report investigation for "we shell out to a tool." Threshold: any shell-invocation API called with a string that contains a variable interpolation, OR shell=True with anything other than a fixed literal. Trigger with: "scan command injection", "shell=True audit", "find exec calls", "check os.system".

2026-05-312.3k

detecting-eval-exec-usage.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval / instance_eval / class_eval, Java ScriptEngine, PHP eval / assert($str), .NET Activator.CreateInstance / Reflection.Emit with dynamic input. Use when: pre-commit gate on any application that parses user-uploaded code (rule engines, formula evaluators, plugin systems), or post-bug-report when "we run user-supplied expressions." Threshold: any call to eval / exec / Function / similar where the argument is not a string literal. Trigger with: "scan eval", "find dynamic exec", "audit eval calls", "code injection patterns".

2026-05-312.3k

detecting-sql-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".

2026-05-312.3k

detecting-weak-cryptography.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".

2026-05-312.3k

scanning-for-hardcoded-secrets.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing secrets, generic base64-encoded passwords, RSA / SSH private keys, and high-entropy string literals that pattern-match common credential shapes. Use when: pre-commit gate before pushing a feature branch, audit before SOC2, post-incident scan after a leak, or inheriting a codebase you didn't write. Threshold: any source file contains a string that matches a canonical credential regex (AWS AKIA prefix, GitHub ghp_ prefix, etc.) OR a string with Shannon entropy above 4.5 in a field context (key=, token:, secret=). Trigger with: "scan secrets", "credential scan", "find hardcoded keys", "leak check".

2026-05-312.3k

detecting-directory-listing.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Probe a target for directories that return auto-generated index listings instead of denying or serving a specific file — exposes the full file tree under any reachable directory, including files the application never linked to. Use when: post-deploy verification on a static-asset host, security audit before SOC2, or following up on a finding from skill #6 (exposed-files) where a backup-file path returned 200 with HTML body instead of the expected file content (suggests autoindex serving a directory listing). Threshold: any directory-shaped path returns 200 with HTML body matching the framework-specific autoindex fingerprint (nginx fancyindex, Apache mod_autoindex Index of/, Caddy browse, Lighttpd mod_dirlisting, etc.). Trigger with: "directory listing check", "autoindex detection", "open directory scan".

2026-05-312.3k

package.json

"author": "jeremylongshore"

"repository": "jeremylongshore/claude-code-plugins-plus-skills"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	detecting-insecure-deserialization
description	Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".
allowed-tools	["Read","Bash(python3:*)","Glob","Grep"]
disallowed-tools	["Bash(rm:)","Bash(curl:)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","static-analysis","deserialization","pentest"]

Detecting Insecure Deserialization

Overview

Most legitimate use cases have safer alternatives (JSON for data, YAML with safe-load, Protocol Buffers, Avro). The remaining cases need explicit type allow-lists and HMAC-signed payloads.

When the skill produces findings

Finding	Severity	Threshold	Affected control
Python `pickle.loads(...)`	CRITICAL	always (untrusted input)	CWE-502
Python `pickle.load(file)`	CRITICAL	always	CWE-502
Python `dill.loads`	CRITICAL	always	CWE-502
Python `yaml.load(...)` without Loader=	CRITICAL	unsafe legacy default	CWE-502
Python `yaml.unsafe_load(...)`	CRITICAL	explicit unsafe	CWE-502
Python `shelve.open(...)`	HIGH	pickle-backed; user-controllable filename	CWE-502
Java `ObjectInputStream.readObject()`	CRITICAL	always	CWE-502
PHP `unserialize($input)`	CRITICAL	non-literal input	CWE-502
.NET `BinaryFormatter.Deserialize(...)`	CRITICAL	deprecated unsafe API	CWE-502
.NET `NetDataContractSerializer`	CRITICAL	also unsafe	CWE-502
.NET `LosFormatter.Deserialize`	CRITICAL	ViewState path	CWE-502
Ruby `Marshal.load(...)`	CRITICAL	non-literal	CWE-502
Ruby `YAML.load(...)` (pre-3.1 Psych)	CRITICAL	safe in Psych 4.0+; needs version check	CWE-502
Node.js `node-serialize.unserialize`	CRITICAL	known-vulnerable lib	CWE-502
Node.js `serialize-javascript` reviver	HIGH	if used to deserialize untrusted	CWE-502

Prerequisites

Python 3.9+
Source tree on local filesystem

Instructions

Run

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py /path/to/repo

Options same as previous skills: --output, --format, --min-severity, --include-tests, --languages.

Interpret

Remediation

The fix depends on the data shape:

Data is structured (JSON-shaped): switch to json.loads.
Data needs polymorphism / arbitrary types: define a strict schema (Pydantic / dataclasses / Protocol Buffers) and validate on parse.
Data must round-trip exact Python / Java / .NET objects: use HMAC-signed serialization with an explicit type allow-list.

See references/PLAYBOOK.md for per-language migrations.

Examples

Worker-queue audit

python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py \
    /path/to/celery-workers --min-severity high

Celery defaults to pickle in older configurations; this finds the remaining unsafe-default callers.

CI

- name: Deserialization scan
  run: |
    python3 plugins/security/penetration-tester/skills/detecting-insecure-deserialization/scripts/scan_deserialization.py \
        . --min-severity high

Output

JSON / JSONL / Markdown. Exit codes: 0 / 1 / 2.

Error Handling

Resources

references/THEORY.md — Why deserialization is RCE, gadget chains, HMAC-signing pattern, schema-validation alternatives
references/PLAYBOOK.md — Per-language migrations (Python pickle → JSON / msgpack, yaml.load → yaml.safe_load, Java ObjectInputStream → JSON via Jackson with allow-list, PHP unserialize → JSON alternatives, .NET BinaryFormatter → System.Text.Json)

detecting-insecure-deserialization

Detecting Insecure Deserialization

Overview

When the skill produces findings

Prerequisites

Instructions

Run

Interpret

Remediation

Examples

Worker-queue audit

CI

Output

Error Handling

Resources

More from this repository

More from this repository

Detecting Insecure Deserialization

Overview

When the skill produces findings

Prerequisites

Instructions

Run

Interpret

Remediation

Examples

Worker-queue audit

CI

Output

Error Handling

Resources