serena-usage
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes external data from project memories and source code without strict boundary markers or sanitization. This surface could allow malicious instructions in a codebase to influence agent behavior.
- Ingestion points: The skill reads external content using
read_memory,find_symbol, andsearch_for_pattern. - Boundary markers: The prompts do not define explicit delimiters to separate instructions from the ingested project data.
- Capability inventory: The skill has access to high-impact write and modify tools including
replace_symbol_body,rename_symbol,write_memory, andedit_memory. - Sanitization: No evidence of content validation or escaping is provided for data retrieved from project files before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill includes a PowerShell utility
scripts/serena-memory-backup.ps1for local context preservation. The script performs standard, legitimate file system operations (listing, copying, and generating an index) within the project's.serenadirectory and contains no network-related commands or suspicious execution patterns.
Audit Metadata