Skills
skills/yaklang/hack-skills/jndi-injection/Gen Agent Trust Hub

jndi-injection

Warn

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill documents specific JNDI lookup patterns intended to leak sensitive system information and environment variables, including 'AWS_SECRET_ACCESS_KEY', 'java.version', and 'hostName' to attacker-controlled external infrastructure.
  • [REMOTE_CODE_EXECUTION]: Provides detailed payloads and methodological instructions for achieving remote code execution across various Java environments through RMI, LDAP, serialized gadget chains, and expression language (EL) injection.
  • [COMMAND_EXECUTION]: Lists specific shell commands for initializing and running external exploitation frameworks such as 'marshalsec', 'ysoserial', and 'RogueJndi'.
  • [PROMPT_INJECTION]: Uses 'AI LOAD INSTRUCTION' with authoritative framing ('Expert Attack Playbook', 'AI LOAD INSTRUCTION: Expert JNDI injection techniques') to direct the agent's behavior toward specialized offensive security tasks, which may circumvent standard safety guidelines regarding the generation of malicious payloads.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 9, 2026, 04:28 AM