serena
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The
run_commandtool (implemented intools/extended/cmd_tools.py) executes arbitrary strings viasubprocess.runwithshell=True. This allows an attacker to execute any shell command on the host system if they can influence the command string passed to the tool. - [REMOTE_CODE_EXECUTION] (HIGH): The
run_scripttool (implemented intools/extended/cmd_tools.py) allows for the execution of arbitrary Python or Bash scripts located on the local filesystem. When combined with the skill's ability to modify files, this creates a pathway for persistent and complex code execution. - [DATA_EXFILTRATION] (MEDIUM): The
run_commandandread_configtools can be used to access sensitive local files (such as SSH keys, cloud credentials, or environment variables) and transmit them to external servers using common network utilities likecurlorwget. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on
serena-agent, which is an external dependency from an untrusted organization. This package has not been verified and represents a supply-chain risk. - [PROMPT_INJECTION] (LOW): This skill is vulnerable to indirect prompt injection (Category 8). It ingests untrusted data from project files via symbol and file search tools (ingestion points in
tools/cli/symbol.pyandtools/cli/file.py). Because the skill possesses high-privilege capabilities like arbitrary command execution and file modification (capability inventory intools/extended/cmd_tools.pyandtools/cli/symbol.py), malicious instructions embedded in the analyzed code could potentially trigger dangerous actions. No explicit sanitization or boundary markers were observed in the wrapper code.
Recommendations
- AI detected serious security threats
Audit Metadata