Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".
About this skill (catalog notes)
Detecting Insecure Deserialization includes a dedicated installation section; worked examples; at least one code block. The SKILL.md is on the shorter side at about 555 words.
How Detecting Insecure Deserialization fits the catalog
Detecting Insecure Deserialization sits in the Dev Tools category under the linters-formatters sub-topic in the ClaudSkills catalog. There are 10 related skills indexed alongside it; comparing a few before installing usually reveals which fits your workflow best.
These notes are auto-generated from features detected in the SKILL.md file and from this catalog's structure — they aren't part of the source repository.
What this skill does
Detecting Insecure Deserialization is a community-contributed Claude Code skill in the linters-formatters sub-category. It ships as a SKILL.md file that Claude Code auto-discovers under ~/.claude/skills/detecting-insecure-deserialization/ and loads when your prompt matches the skill's trigger.
When to invoke it: Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage.
Who uses this skill
The Detecting Insecure Deserialization Claude Code skill is built for developers, power users, and teams automating repetitive workflows and improving developer experience. It's part of ClaudSkills (also referred to as Claude Skills or Claude Code Skills) — the open community-curated registry of 92,000+ SKILL.md files for Anthropic's Claude Code agent and the wider Claude ecosystem (Claude API, Claude Agent SDK).
Or just download SKILL.md directly and drop it into ~/.claude/skills/detecting-insecure-deserialization/. Claude Code auto-discovers it on next session.
Skills live at ~/.claude/skills/detecting-insecure-deserialization/SKILL.md on macOS/Linux, or %USERPROFILE%\.claude\skills\detecting-insecure-deserialization\SKILL.md on Windows. See the full install guide for step-by-step instructions.
Pro
One-click install via the desktop app
The ClaudSkills desktop app installs any skill directly into ~/.claude/skills/ with one click — no terminal required. Pro starts at $9/mo or $149 lifetime.
Pro
For the full experience including quality scoring and one-click install features for each skill — upgrade to Pro.
How do I install the Detecting Insecure Deserialization Claude Code skill?
Install via the ClaudSkills desktop app (one click) or copy SKILL.md from the source repository to ~/.claude/skills/detecting-insecure-deserialization/SKILL.md and restart Claude Code. Both flows are detailed at claudskills.com/install/.
What does the Detecting Insecure Deserialization skill do?
Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".
Is this skill free to install?
Yes. ClaudSkills is an open registry — every skill keeps its source repository's license, and manual install via copy is free. ClaudSkills Pro ($9/mo, $79/yr, or $149 one-time) adds one-click install via the desktop app and a multi-signal Quality Score.
When should I use the Detecting Insecure Deserialization skill?
Use Detecting Insecure Deserialization when your Claude Code task falls under the Dev Tools category — specifically in the linters formatters area. Claude Code auto-discovers installed skills and invokes the right one based on the task description, so you can also ask Claude directly (e.g. "use Detecting Insecure Deserialization" or describe the task and let Claude pick). Browse related skills at /category/tools/.
What is a Claude Code skill and how does the Detecting Insecure Deserialization skill fit in?
A Claude Code skill is a SKILL.md file that lives under ~/.claude/skills/<name>/ and tells the Claude Code CLI agent how to perform a specific task (instructions, prompts, allowed tools). Skills are auto-discovered at session start. Detecting Insecure Deserialization is one of 67,000+ skills indexed in the open ClaudSkills catalog, classified under the Dev Tools category. Learn more at /learn/what-is-a-claude-skill/.
Promote, attribute, or link this skill from your own README, blog post, or documentation. All three snippets are free to use — no sign-up, no API key. More distribution surfaces →
Claude™ is a trademark of Anthropic PBC. ClaudSkills (also referred to as Claude Skills or Claude Code Skills Catalog) is an independent community-curated registry of SKILL.md files, not affiliated with, endorsed by, or sponsored by Anthropic.
Install ClaudSkills — browse 70k+ skills offline, one tap from your home screen.