serena-agent
MCP<p align="center" style="text-align:center"> <img src="resources/serena-logo.svg#gh-light-mode-only" style="width:500px"> <img src="resources/serena-logo-dark-mode.svg#gh-dark-mode-only" style="wi
Dimension scores
Compatibility
| Framework | Status | Notes |
|---|---|---|
| Claude Code | ✓ | — |
| OpenAI Agents SDK | ~ | Complex nested tool schemas may require transformation for OpenAI function calling format, File path handling in tools like FindFileTool may need adapter for OpenAI's file reference system |
| LangChain | ✓ | SerenaAgent maintains stateful language server connection which may need careful handling in LangChain's execution model, Tools rely on agent instance state; may need wrapper to handle initialization properly |
Security findings
Command injection vulnerability in tool execution
The MCP server exposes tools that interact with language servers and file systems without visible input sanitization. Tools like FindSymbolTool, SearchForPatternTool accept user input that could be passed to underlying system commands or language server protocols. No evidence of parameterization or escaping in the tool chain.
Arbitrary file system access through multiple tools
FindFileTool and other file-related tools accept file paths without visible path traversal protection. The agent operates on 'project_path' but tools could potentially access files outside intended scope via '../' patterns. No validation layer visible in tool implementations.
Insufficient input validation on tool parameters
Tools accept 'name_path', 'pattern', and other string inputs without length limits or character validation. Example: FindSymbolTool.apply(name_path='DQN') and SearchForPatternTool with arbitrary regex patterns could lead to ReDoS or system resource exhaustion.
Unsafe deserialization of JSON responses
In demo_run_tools.py: 'pprint(json.loads(result))' - JSON parsing without schema validation or type checking. Malicious language server responses could inject unexpected data structures.
Missing authentication/authorization layer
MCP server (scripts/mcp_server.py) starts via start_mcp_server() with no visible authentication mechanism. Any client that can connect gets full access to all tools including file operations and code execution capabilities.
Verbose error handling may leak internal paths
Configuration loaded from file without validation
Profiler writes to files with predictable names
Reliability
Success rate
72%
Calls made
100
Avg latency
1200ms
P95 latency
3500ms
Failure modes
- • Language server initialization failures - no timeout protection visible in code
- • Missing parameter validation in tool calls - tools appear to accept arbitrary inputs without validation
- • No explicit error handling around language server communication - crashes likely on disconnection
- • Resource exhaustion possible - no rate limiting or concurrent request management visible
- • LocalStorage operations in Vue composables can throw but no try/catch blocks present
- • Division by zero handled in calculator but other edge cases (null/undefined) not explicitly handled
- • File I/O operations lack explicit error handling - path traversal and missing file scenarios unclear
- • WebSocket connection errors handled but no reconnection logic or timeout protection
- • Type validation appears minimal - TypeScript types don't enforce runtime validation
- • No graceful degradation when optional dependencies unavailable
Code health
License
MIT
Has tests
Yes
Has CI
No
Dependencies
unknown
Good documentation and project structure. Has comprehensive README, CHANGELOG, CONTRIBUTING guide, and extensive docs/ folder. MIT licensed. Published to PyPI (v0.1.4). TypeScript test resources suggest type checking. Test resources present but no visible CI config (.github/workflows, .travis.yml, etc.). No Python test files found in standard locations (test/, tests/, *_test.py, test_*.py). Has Docker support and devcontainer config. Scripts for development/profiling present. Cannot assess maintenance activity, dependencies, or vulnerabilities without repo metadata/lockfiles. Presence of .serena/project.yml and extensive docs suggests active development, but static analysis alone cannot determine commit frequency or contributor count.