← Scan another

Low

github · 250 files analyzed

oraios/serena

Minor capabilities, nothing alarming.

View source ↗

Outbound network 5

Environment variables (config / keys) 24

Filesystem writes 10

Remote code execution 3

Shell / command execution 29

AI review

The extension contains several patterns that could be risky in an AI agent context, but they are all standard development/build operations or legitimate functionality that matches the stated purpose of an MCP-based IDE tool. No hidden instructions, prompt injection vectors, or data exfiltration mechanisms were found beyond a benign usage reporting call that respects opt-out environment variables.

low Usage reporting with network call — src/serena/agent.py:731 sends a GET request to oraios-software.de with usage parameters. However, it checks for CI/GitHub Actions environment variables and respects SERENA_USAGE_REPORTING=false, making this standard telemetry rather than hidden exfiltration.
low Remote code execution in build scripts — .github/workflows/pytest.yml and Dockerfile download and execute shell scripts from external URLs (astral.sh, raw.githubusercontent.com). These are standard CI/Docker build steps, not runtime agent behavior, and are not executed by the agent itself.
low SCP command with environment variable — scripts/build_news_json.py:55 uses os.system to SCP a file to a remote host using an environment variable for the username. This is a build/deployment script, not part of the agent runtime, and is consistent with the project's stated purpose.
low File system operations — Multiple instances of shutil.rmtree, os.remove, and shutil.move exist throughout the codebase. These are legitimate operations for an IDE tool that manages project files, caches, and configuration. No evidence of unauthorized file access or deletion.
low Command execution via subprocess — Several subprocess.run and os.system calls exist for launching editors, language servers, and build tools. These are expected functionality for an MCP server that provides code editing and language server integration.

Model: deepseek-chat

Static findings

Remote code execution · Downloads and executes remote code

info .github/workflows/pytest.yml:58 run: curl -LsSf https://astral.sh/uv/install.sh | sh

info Dockerfile:30 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install.sh | bash

info src/solidlsp/language_servers/lean4_language_server.py:41 " curl https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh -sSf | sh\n"

Filesystem writes · Reads or writes the filesystem

info docs/autogen_docs.py:73 shutil.rmtree(rst_root)

low repo_dir_sync.py:163 shutil.rmtree(self.libRepo.libDirectory)

low scripts/demo_diagnostics.py:175 shutil.rmtree(temp_dir, ignore_errors=True)

low src/serena/cli.py:591 os.remove(path)

low src/serena/config/serena_config.py:866 shutil.move(old_config_path, config_path)

low src/serena/hooks.py:520 shutil.rmtree(self.session_persistence_dir, ignore_errors=True)

low src/serena/memories/memory_manager.py:311 shutil.move(old_path, new_path)

low src/solidlsp/language_servers/elixir_tools/elixir_tools.py:191 os.remove(executable_path)

low src/solidlsp/language_servers/haxe_language_server.py:155 os.remove(vsix_path)

low src/solidlsp/language_servers/pascal_server.py:396 os.remove(file_path)

Shell / command execution · Executes shell / system commands

info docs/create_toc.py:9 os.system(cmd)

medium repo_dir_sync.py:12 def popen(cmd):

medium scripts/build_news_json.py:55 os.system(f"scp news/news.json {user}@hades:/var/www/html/oraios-software/serena_news.json")

medium scripts/bump_version.py:56 os.system("uv lock")

medium src/serena/cli.py:111 subprocess.run([editor, path], check=False, **run_kwargs)

medium src/serena/dashboard.py:816 p = subprocess.Popen(

medium src/serena/util/dotnet.py:30 result = subprocess.run([self._system_dotnet, "--list-runtimes"], capture_output=True, text=True, check=True)

medium src/serena/util/shell.py:28 process = subprocess.Popen(

medium src/solidlsp/language_servers/bsl_language_server.py:55 result = subprocess.run(

medium src/solidlsp/language_servers/clojure_lsp.py:62 return subprocess.run(

medium src/solidlsp/language_servers/common.py:113 completed_process = subprocess.run(

medium src/solidlsp/language_servers/elixir_tools/elixir_tools.py:68 result = subprocess.run(["elixir", "--version"], capture_output=True, text=True, check=False)

+ 17 more

Environment variables (config / keys) · Reads environment variables (config / API keys)

low scripts/build_news_json.py:53 user = os.getenv("HADES_USER")

low src/serena/agent.py:721 if os.getenv("CI") == "true" or os.getenv("GITHUB_ACTIONS") == "true" or os.getenv("SERENA_USAGE_REPORTING") == "false":

low src/serena/cli.py:107 editor = os.environ.get("EDITOR")

low src/serena/config/serena_config.py:61 home_dir = os.getenv("SERENA_HOME")

low src/serena/hooks.py:18 serena_home_dir = os.getenv("SERENA_HOME", "").strip() or str(Path.home() / ".serena")

low src/serena/util/exception.py:22 if not os.environ.get("DISPLAY"): # type: ignore

low src/serena/util/gui.py:16 display = os.environ.get("DISPLAY", "")

low src/serena/util/shell.py:49

args, stdin=subprocess.DEVNULL, stderr=subprocess.PIPE, timeout=timeout, env=os.environ.copy(), cwd=cwd, **subprocess_kwargs()

low src/solidlsp/language_servers/al_language_server.py:236 env_path = os.environ.get("AL_EXTENSION_PATH")

low src/solidlsp/language_servers/bash_language_server.py:195 "PATH": managed_bin_dir + os.pathsep + os.environ.get("PATH", ""),

low src/solidlsp/language_servers/common.py:178 uvx_path = os.environ.get("UVX") or shutil.which("uvx")

low src/solidlsp/language_servers/eclipse_jdtls.py:682 elif env_home := os.environ.get("JAVA_HOME"):

+ 12 more

Outbound network · Makes outbound network requests

low src/serena/agent.py:731 requests.get("https://oraios-software.de/serena_usage.php", params=params, timeout=1)

low src/serena/dashboard.py:10 import urllib.request

low src/serena/util/dotnet.py:103 urllib.request.urlretrieve(script_url, script_path)

low src/solidlsp/language_servers/haxe_language_server.py:11 import urllib.request

low src/solidlsp/language_servers/pascal_server.py:60 import urllib.request

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.