serena-mcp-agent
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill setup and configuration instructions for various clients (Claude Desktop, Claude Code, Codex) rely on executing remote code from an untrusted source (
git+https://github.com/oraios/serena) using theuvxutility. - EXTERNAL_DOWNLOADS (HIGH): The documentation repeatedly promotes downloading and running the Serena MCP server from a GitHub organization ('oraios') that is not included in the trusted organizations list.
- COMMAND_EXECUTION (MEDIUM): The skill includes an
execute_shell_commandtool designed for arbitrary shell execution. While documented with a warning to disable it for untrusted contexts, it remains a high-risk capability when combined with remote code ingestion. - PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core function of reading and processing untrusted codebase data.
- Ingestion points: Project files processed through
read_file,search_for_pattern, andget_symbols_overview(tools-reference.md). - Boundary markers: Absent; there are no clear instructions or markers to distinguish between data and embedded instructions in the files being analyzed.
- Capability inventory: Includes
execute_shell_command,replace_symbol_body, andcreate_text_file(tools-reference.md). - Sanitization: Absent; the skill does not specify any sanitization or validation of the content read from files before it influences agent behavior.
Recommendations
- AI detected serious security threats
Audit Metadata