AgentReadyHomeAgent Listing

← serena

serena — agentic threat model

8.1AIVSS 8.1 · High

Serena presents a moderate-to-high security risk as an MCP server with direct access to local codebases and LSP binaries, making it a high-value target for local data exfiltration or arbitrary code execution if the host agent is compromised via prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.55Factor sum 2.2/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.50
Persistent Memory
0.10
Contextual Awareness
0.60
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Serena is an MCP server wrapping LSPs rather than a foundation model itself, but it integrates with Claude. Threats include Claude being manipulated via prompt injection to abuse Serena's LSP tools.

L2 · Data Operations✓ mapped

Serena accesses local source code repositories to build ASTs and index symbols. Threats include codebase data exfiltration, poisoning of local files to exploit LSP parser vulnerabilities, or unauthorized access to sensitive IP.

L3 · Agent Frameworks✓ mapped

Serena acts as an MCP (Model Context Protocol) server providing tools to Claude. Threats include insecure tool integration, where Claude is tricked into executing unintended LSP commands or traversing directories outside the workspace.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Serena runs locally as an MCP server, but the sandboxing of the LSP binaries and the MCP host is dependent on the user's local setup. Threats include local privilege escalation if the LSP runs with high privileges.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in logging, guardrails, or evaluation mechanisms are mentioned for the MCP server. Gaps in logging could allow silent directory traversal or unauthorized code reading.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — There is no mention of authentication, authorization, or access control policies restricting which parts of the filesystem the MCP server can access.

L7 · Agent Ecosystem✓ mapped

Serena is a plugin designed to be used within the Claude/MCP ecosystem. Threats include malicious agents or plugins interacting with Serena to extract codebase secrets or exploit the local LSP server.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).