MCPVet
Critical
github · 250 files analyzed
oraios/serena
Dangerous patterns detected — do not install blindly.
View source ↗Outbound network 5
Environment variables (config / keys) 24
Filesystem writes 10
Remote code execution 3
Shell / command execution 29
AI review
The extension contains several remote code execution patterns in build scripts and CI workflows, but these are standard development tooling (uv installer, nvm) and not malicious. The telemetry call to oraios-software.de is opt-in and only sends anonymous usage data. No prompt injection, secret exfiltration, or deceptive tool descriptions were found.
- low CI workflow downloads and executes remote scripts — .github/workflows/pytest.yml:58 runs `curl -LsSf https://astral.sh/uv/install.sh | sh` and Dockerfile:30 runs `curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install.sh | bash`. These are standard package installer patterns, not malicious, but could be pinned to specific versions for supply-chain security.
- low Telemetry endpoint with environment-based opt-out — src/serena/agent.py:731 sends a GET request to https://oraios-software.de/serena_usage.php with anonymous parameters. The code checks CI environment variables and SERENA_USAGE_REPORTING env var to disable it. This is opt-in by default (only sends in non-CI, non-explicitly-disabled contexts) and does not exfiltrate secrets or credentials.
- low SCP command uses environment variable for credentials — scripts/build_news_json.py:55 runs `scp` with a username from `os.getenv("HADES_USER")`. This is a build/deployment script, not part of the agent runtime, and the user must have SSH keys configured. No credential exfiltration risk in normal agent operation.
Model: deepseek-chat
Static findings
Remote code execution · Downloads and executes remote code
info
.github/workflows/pytest.yml:58
run: curl -LsSf https://astral.sh/uv/install.sh | sh
info
Dockerfile:30
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install.sh | bash
critical
src/solidlsp/language_servers/lean4_language_server.py:41
" curl https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh -sSf | sh\n"
Filesystem writes · Reads or writes the filesystem
info
docs/autogen_docs.py:73
shutil.rmtree(rst_root)
low
repo_dir_sync.py:163
shutil.rmtree(self.libRepo.libDirectory)
low
scripts/demo_diagnostics.py:175
shutil.rmtree(temp_dir, ignore_errors=True)
low
src/serena/cli.py:591
os.remove(path)
low
src/serena/config/serena_config.py:866
shutil.move(old_config_path, config_path)
low
src/serena/hooks.py:520
shutil.rmtree(self.session_persistence_dir, ignore_errors=True)
low
src/serena/memories/memory_manager.py:311
shutil.move(old_path, new_path)
low
src/solidlsp/language_servers/elixir_tools/elixir_tools.py:191
os.remove(executable_path)
low
src/solidlsp/language_servers/haxe_language_server.py:155
os.remove(vsix_path)
low
src/solidlsp/language_servers/pascal_server.py:396
os.remove(file_path)
Shell / command execution · Executes shell / system commands
info
docs/create_toc.py:9
os.system(cmd)
medium
repo_dir_sync.py:12
def popen(cmd):
medium
scripts/build_news_json.py:55
os.system(f"scp news/news.json {user}@hades:/var/www/html/oraios-software/serena_news.json")
medium
scripts/bump_version.py:56
os.system("uv lock")
medium
src/serena/cli.py:111
subprocess.run([editor, path], check=False, **run_kwargs)
medium
src/serena/dashboard.py:816
p = subprocess.Popen(
medium
src/serena/util/dotnet.py:30
result = subprocess.run([self._system_dotnet, "--list-runtimes"], capture_output=True, text=True, check=True)
medium
src/serena/util/shell.py:28
process = subprocess.Popen(
medium
src/solidlsp/language_servers/bsl_language_server.py:55
result = subprocess.run(
medium
src/solidlsp/language_servers/clojure_lsp.py:62
return subprocess.run(
medium
src/solidlsp/language_servers/common.py:113
completed_process = subprocess.run(
medium
src/solidlsp/language_servers/elixir_tools/elixir_tools.py:68
result = subprocess.run(["elixir", "--version"], capture_output=True, text=True, check=False)
+ 17 more
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
scripts/build_news_json.py:53
user = os.getenv("HADES_USER")
low
src/serena/agent.py:721
if os.getenv("CI") == "true" or os.getenv("GITHUB_ACTIONS") == "true" or os.getenv("SERENA_USAGE_REPORTING") == "false":
low
src/serena/cli.py:107
editor = os.environ.get("EDITOR")
low
src/serena/config/serena_config.py:61
home_dir = os.getenv("SERENA_HOME")
low
src/serena/hooks.py:18
serena_home_dir = os.getenv("SERENA_HOME", "").strip() or str(Path.home() / ".serena")
low
src/serena/util/exception.py:22
if not os.environ.get("DISPLAY"): # type: ignore
low
src/serena/util/gui.py:16
display = os.environ.get("DISPLAY", "")
low
src/serena/util/shell.py:49
args, stdin=subprocess.DEVNULL, stderr=subprocess.PIPE, timeout=timeout, env=os.environ.copy(), cwd=cwd, **subprocess_kwargs()
low
src/solidlsp/language_servers/al_language_server.py:236
env_path = os.environ.get("AL_EXTENSION_PATH")
low
src/solidlsp/language_servers/bash_language_server.py:195
"PATH": managed_bin_dir + os.pathsep + os.environ.get("PATH", ""),
low
src/solidlsp/language_servers/common.py:178
uvx_path = os.environ.get("UVX") or shutil.which("uvx")
low
src/solidlsp/language_servers/eclipse_jdtls.py:682
elif env_home := os.environ.get("JAVA_HOME"):
+ 12 more
Outbound network · Makes outbound network requests
low
src/serena/agent.py:731
requests.get("https://oraios-software.de/serena_usage.php", params=params, timeout=1)
low
src/serena/dashboard.py:10
import urllib.request
low
src/serena/util/dotnet.py:103
urllib.request.urlretrieve(script_url, script_path)
low
src/solidlsp/language_servers/haxe_language_server.py:11
import urllib.request
low
src/solidlsp/language_servers/pascal_server.py:60
import urllib.request
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.