serena — agentic threat model
Serena presents a moderate-to-high security risk as an MCP server with direct access to local codebases and LSP binaries, making it a high-value target for local data exfiltration or arbitrary code execution if the host agent is compromised via prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Serena is an MCP server wrapping LSPs rather than a foundation model itself, but it integrates with Claude. Threats include Claude being manipulated via prompt injection to abuse Serena's LSP tools.
Serena accesses local source code repositories to build ASTs and index symbols. Threats include codebase data exfiltration, poisoning of local files to exploit LSP parser vulnerabilities, or unauthorized access to sensitive IP.
Serena acts as an MCP (Model Context Protocol) server providing tools to Claude. Threats include insecure tool integration, where Claude is tricked into executing unintended LSP commands or traversing directories outside the workspace.
Not certain from the listing — Serena runs locally as an MCP server, but the sandboxing of the LSP binaries and the MCP host is dependent on the user's local setup. Threats include local privilege escalation if the LSP runs with high privileges.
Not certain from the listing — No built-in logging, guardrails, or evaluation mechanisms are mentioned for the MCP server. Gaps in logging could allow silent directory traversal or unauthorized code reading.
Not certain from the listing — There is no mention of authentication, authorization, or access control policies restricting which parts of the filesystem the MCP server can access.
Serena is a plugin designed to be used within the Claude/MCP ecosystem. Threats include malicious agents or plugins interacting with Serena to extract codebase secrets or exploit the local LSP server.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).