Serena

Official MCP

Coding agent using symbolic code operations via language servers for precise code manipulation

vcommit-6a798ef-2026-03-01

PDF

Schnellinstallation

smcp run official/serena@commit-6a798ef-2026-03-01

Sicher ausführen mit mcp hub client Der sichere MCP-Runner von mcp-hub

Integrity Verified

Level 0

Basic integrity checks passed. Digest validation and schema validation completed.

MSSS: Level 0 (Not Compliant)

190

Findings

Critical

121

High

15/100

Global Security Score

Not Recommended for Production

Critical security issues found. This MCP server should not be used in production until remediated.

190 findings

64 critical

121 high

Vulnerability Summary

Critical

121

High

Medium

Low

Info

190 total findings detected

Critical

High

121

Medium

Score Breakdown

Security (50% weight) 40

Supply Chain (30% weight) 100

Maturity (20% weight) 100

Global Score (weighted) 15

OWASP MCP Top 10 View full details →

MCP01

Token & Secrets

Mitigated

MCP02

Privilege Escalation

Mitigated

MCP03

Tool Poisoning

At Risk

MCP04

Supply Chain

Mitigated

MCP05

Cmd Injection

At Risk

MCP06

Intent Subversion

Mitigated

MCP07

Auth/AuthZ

Mitigated

MCP08

Audit & Telemetry

At Risk

MCP09

Shadow Servers

At Risk

MCP10

Context Injection

Mitigated

MSSS Certification Level

MCP Server Security Standard (MSSS) — Ein standardisiertes Framework zur Bewertung der Sicherheit von MCP-Servern. Mehr erfahren

0 Level 0

Sicherheitskontrollen

Other Controls

22/26 passed

No SQL Injection

Control failed: 52 findings found, score 50.0

CRITICAL FAIL

No Tool Poisoning

Control failed: 97 findings found, score 50.0

CRITICAL FAIL

No Remote Code Execution

Control failed: 8 findings found, score 50.0

CRITICAL FAIL

No Hidden Network Channels

Control failed: 27 findings found, score 50.0

HIGH FAIL

Code Quality

PASS

Error Handling

PASS

Input Validation

PASS

Logging

PASS

No Critical Vulnerabilities

PASS

No High Vulnerabilities

PASS

No Secrets in Code

PASS

No Command Injection

PASS

No Path Traversal

PASS

No Insecure Deserialization

PASS

No XSS Vulnerabilities

PASS

Secure Cryptography

PASS

No Hardcoded Credentials

PASS

No Prompt Injection

PASS

No SSRF or Data Exfiltration

PASS

No Privilege Escalation

PASS

No Cross-Tool Data Leakage

PASS

Compatible License

PASS

No Copyleft License

PASS

No Deprecated Dependencies

PASS

Pinned Dependencies

PASS

Known Supply Chain

PASS

Security Findings

190 findings:

Filter:

Severity	CVSS	Finding	Class	Location	CWE
critical	—	Direct shell command execution detected	A RCE	—	—
Description Direct shell command execution detected Code Snippet `os.system(cmd)` Remediation Use subprocess with shell=False and explicit command list Confidence high Rule ID MCP-A003
critical	—	Direct shell command execution detected	A RCE	—	—
Description Direct shell command execution detected Code Snippet `SYNC_COMMIT_MESSAGE = f"Updated %s sync commit identifiers"` Remediation Use subprocess with shell=False and explicit command list Confidence high Rule ID MCP-A003
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `"selectionRange": {"dynamicRegistration": True},` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `def create_{template_name}(self{method_params_str}) -> str:` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `log.debug("Applying mode selection: default_modes=%s, base_modes=%s", mode_selection.default_modes, ...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	Dangerous function used (eval, exec, compile)	A RCE	—	—
Description Dangerous function used (eval, exec, compile) Code Snippet `compiled_pattern = re.compile(pattern, re.DOTALL)` Remediation Avoid eval/exec; use safer alternatives like ast.literal_eval Confidence high Rule ID MCP-A004
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `"selectionRange": {"dynamicRegistration": True},` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	Direct shell command execution detected	A RCE	—	—
Description Direct shell command execution detected Code Snippet `os.system("git add %s" % self.libRepo.libDirectory)` Remediation Use subprocess with shell=False and explicit command list Confidence high Rule ID MCP-A003
critical	—	Dangerous function used (eval, exec, compile)	A RCE	—	—
Description Dangerous function used (eval, exec, compile) Code Snippet `_AL_OBJECT_NAME_PATTERN = re.compile(` Remediation Avoid eval/exec; use safer alternatives like ast.literal_eval Confidence high Rule ID MCP-A004
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `# sends window/workDoneProgress/create (async-indexing servers like KLS v261+),` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `@click.command("create", help="Create a new mode or copy an internal one.", context_settings={"max_c...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `log.info("Saving updated raw document symbols cache to %s", cache_file)` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `"selectionRange": {"dynamicRegistration": True},` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `new_text = text[:change_index] + text_to_be_inserted + text[change_index:]` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `log.debug(f"Kotlin LSP workDoneProgress/create: token={token!r}")` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `log.info("Saving updated project configuration to %s", config_path)` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `self.text_widget.insert(tk.END, message + "\n", log_level.name)` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet @sample `let sel:DocumentSelector = [{ language: 'typescript' }, { language: 'json', pattern: '**/ts... Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `selecting this color presentation. Edits must not overlap with the main {@link ColorPresentation.tex...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `self._session.headers.update({"Content-Type": "application/json", "Accept": "application/json"})` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `@click.command("create", help="Create a new Serena project configuration.", context_settings={"max_c...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `raise ValueError(f"No language server factory available to create language server for {language}")` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `click.echo(f" - {symbol['name']} at line {symbol['selectionRange']['start']['line']} of kind {symbo...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `This is an alternative to clangd for large C++ codebases where ccls may perform` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	Dynamic import without validation detected	L Lifecycle	—	—
Description Dynamic import without validation detected Code Snippet `def test_request_defining_symbol_component_import(self, language_server: SolidLanguageServer) -> None:` Remediation Validate module names against an allowlist before dynamic imports; use static imports when possible Confidence high Rule ID MCP-L001
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `log.info(f"Created serena compilation database with absolute paths at {compile_commands_path}")` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `with urllib.request.urlopen(req, timeout=cls.NETWORK_TIMEOUT) as response:` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `"selectionRange": {"dynamicRegistration": True},` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `msg = f"Created and activated a new project with name '{self.project_name}' at {self.project_root}. ...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `logger.info(f"Created external user: {external_user.name}")` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `logger.info(f"Created external user: {external_user.name}")` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `user = service.create_user(name=f"User {i + 1}", email=f"user{i + 1}@example.com", roles=["user"])` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `info.update({"service_type": "data_sync", "sync_interval": str(self.sync_interval)})` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `self.update_timestamp(f"stock_update_{quantity}")` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `result.update({"stock_level": self.stock_level, "created_at": self.created_at, "updated_at": self.up...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	ML classifier detected prompt injection pattern	G Tool Poisoning	—	—
Description ML classifier detected prompt injection pattern Code Snippet `html += '<button id="create-memory-btn" class="memory-add-btn">+ Add Memory</button>';` Remediation Review and sanitize the detected text for potential injection attempts Confidence high Rule ID MCP-ML-001
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `assert "selectionRange" in symbol, f"Symbol '{name}' has no selectionRange in {file_path}"` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `alert('Error adding language ' + selectedLanguage + ": " + response.message);` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `assert containing_symbol["name"] == "create_user", f"Expected 'create_user', got '{containing_symbol...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	Direct shell command execution detected	A RCE	—	—
Description Direct shell command execution detected Code Snippet `os.system("git checkout %s" % path)` Remediation Use subprocess with shell=False and explicit command list Confidence high Rule ID MCP-A003
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `click.echo(f"Override file '{prompt_yaml_name}' not found. Create it with: prompts create-override {...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `), f"Cannot create file outside of the project directory, got {relative_path=}"` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `"selectionRange": {"dynamicRegistration": True},` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `log.info("Language status update: %s", params)` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `assert result1.exit_code == 0, f"create --index failed: {result1.output}"` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `log.debug(f"LSP: window/workDoneProgress/create: {params}")` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `click.echo(f"Override file '{prompt_yaml_name}' not found.")` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `"rustfmt": {"extraArgs": [], "overrideCommand": None, "rangeFormatting": {"enable": False}},` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `end_line_for_delete = end_line + 1` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	Dangerous function used (eval, exec, compile)	A RCE	—	—
Description Dangerous function used (eval, exec, compile) Code Snippet `# Fallback to gem exec (for non-Bundler projects or when global solargraph not found)` Remediation Avoid eval/exec; use safer alternatives like ast.literal_eval Confidence high Rule ID MCP-A004
critical	—	Dangerous function used (eval, exec, compile)	A RCE	—	—
Description Dangerous function used (eval, exec, compile) Code Snippet `pattern = re.compile(r"^\s*[A-Z_]+ = .+$")` Remediation Avoid eval/exec; use safer alternatives like ast.literal_eval Confidence high Rule ID MCP-A004
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `log.debug(f"Fixed fortls selectionRange for {identifier_name}: char {start_char} -> {identifier_star...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `"selectionRange": {"dynamicRegistration": True},` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `sel_range = sym.get("selectionRange", {})` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `assert "CreateCustomer" in value, f"Hover should contain procedure name. Got: {value[:200]}"` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `sel_range = sym.get("selectionRange", {})` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	Dynamic import without validation detected	L Lifecycle	—	—
Description Dynamic import without validation detected Code Snippet `def test_find_definition_import(self, language_server: SolidLanguageServer, repo_path: Path) -> None:` Remediation Validate module names against an allowlist before dynamic imports; use static imports when possible Confidence high Rule ID MCP-L001
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `create_user_pattern = r"def\s+create_user\s$[^)]$(?:\s*->[^:]+)?:"` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `create_user_line = i + 2 # Go inside the function body` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `old_time = time.time() - (PascalLanguageServer.UPDATE_CHECK_INTERVAL + 3600)` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `containing = language_server.request_containing_symbol(file_path, create_user_line + 2, 10)` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `), f"selectionRange should point to identifier, not line start. Got character: {sel_start['character...` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	SQL string concatenation detected	D SQL Injection	—	—
Description SQL string concatenation detected Code Snippet `assert cache_files, f"Expected SolidLSP to create cache artifacts under {cache_dir}"` Remediation Use parameterized queries with placeholders Confidence high Rule ID MCP-D002
critical	—	Dynamic import without validation detected	L Lifecycle	—	—
Description Dynamic import without validation detected Code Snippet `def test_cross_file_references_utils_import(self, language_server: SolidLanguageServer) -> None:` Remediation Validate module names against an allowlist before dynamic imports; use static imports when possible Confidence high Rule ID MCP-L001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `url=f"{cls.PASLS_RELEASES_URL}/pasls-aarch64-linux.tar.gz",` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `PHPACTOR_PHAR_URL = f"https://github.com/phpactor/phpactor/releases/download/{PHPACTOR_VERSION}/phpactor.phar"` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# Override internal language enum for correct file matching` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `response = requests.get(download_url, stream=True, timeout=120)` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	ML classifier detected prompt injection pattern	G Tool Poisoning	—	—
Description ML classifier detected prompt injection pattern Code Snippet `f"Received initialize response from PowerShell server: {init_response}"` Remediation Review and sanitize the detected text for potential injection attempts Confidence medium Rule ID MCP-ML-001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `from overrides import override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `"""Override to ignore Ruby-specific directories that cause performance issues."""` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# Override internal language enum for file matching (excludes .erb files)` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `base_url = f"https://github.com/chipsalliance/verible/releases/download/{verible_version}"` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `if self.override_ts_ls_executable is not None:` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `VueTypeScriptServer.DependencyProvider.override_ts_ls_executable = ts_ls_executable_path` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `but are not actual errors. Subclasses can override this method to filter out known` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Subclasses should override this method to provide their specific dependency provider.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Override in subclasses to return file-specific language IDs.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Subclasses can override this method to implement language-specific preferences.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# Select the preferred definition (subclasses can override _get_preferred_definition)` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Subclasses may override to provide a deterministic value that changes when cached results` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `time.sleep(0.01)` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `host = f"{os.path.sep}{os.path.sep}{parsed.netloc}{os.path.sep}"` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `response = requests.get(url, stream=True, timeout=60)` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `platform_id = f"{system_map[system]}-{libc}-{machine_map[machine]}"` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet above `TextDocumentEdit`s mixed with create, rename and delete file / folder operations. Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `delete file / folder operations.` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `An optional variable name can be used to override the extracted name.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `An optional expression can be used to override the extracted expression.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `""" If specified the expression overrides the extracted expression. """` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `""" The server provides execute command support. """` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `"""Delete file options"""` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `""" Execute command supports dynamic registration. """` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `a completion item to override the whitespace handling mode` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `await asyncio.sleep(0.1)` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `"""Override of base method."""` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `def fetch(self, id: int \| str, cache: bool = False) -> dict[str, Any] \| None:` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `time.sleep(delay * (2**attempt))` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `"""When no project override, effective backend matches global config."""` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `def test_project_overrides_global_backend(self):` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# Add a second project with no backend override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `time.sleep(0.2)` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `time.sleep(0.2)` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `def test_set_modes_overrides_config_defaults(self) -> None:` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `"""Project-level budget overrides global budget."""` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `time.sleep(0.1)` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `time.sleep(0.5)` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# Actual negation should override the *.log pattern` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Module reload without integrity verification	L Lifecycle	—	—
Description Module reload without integrity verification Code Snippet `def test_reload(self):` Remediation Verify module hash/signature before reloading; implement integrity checks for hot reload Confidence medium Rule ID MCP-L003
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `time.sleep(self.delay)` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `lambda: find_symbol_tool.apply("SerenaAgent/get_tool_description_override"),` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	ML classifier detected prompt injection pattern	G Tool Poisoning	—	—
Description ML classifier detected prompt injection pattern Code Snippet `""" # ruff: noqa # black: skip # mypy: ignore-errors # NOTE: This module is auto-generated from int...` Remediation Review and sanitize the detected text for potential injection attempts Confidence medium Rule ID MCP-ML-001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# If a startup project is provided and has a per-project override, use it; otherwise use the global ...` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `def get_tool_description_override(self, tool_name: str) -> str \| None:` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `self._mode_overrides = ModeSelectionDefinition(default_modes=mode_names)` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	ML classifier detected prompt injection pattern	G Tool Poisoning	—	—
Description ML classifier detected prompt injection pattern Code Snippet `"Generating system prompt with available_tools=(see active tools), available_markers=%s"` Remediation Review and sanitize the detected text for potential injection attempts Confidence medium Rule ID MCP-ML-001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# determine active modes from serena config, active project, and mode overrides` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `result_str += " (project override)"` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `override the default modes defined in the global Serena configuration or` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `"edit-override", help="Edit an existing prompt override file", context_settings={"max_content_width"...` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `a Jinja2 template for the generation of the system prompt.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `tool_description_overrides: dict[str, str] = field(default_factory=dict)` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# Ensure backwards compatibility for tool_description_overrides` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `the user context will override the default context definition.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `the user mode will override the default mode definition.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `"""Shared between SerenaConfig and ProjectConfig, the latter used to override values in the form` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `url = f"{self._base_url}{endpoint}"` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `overridden_description = tool.agent.get_context().tool_description_overrides.get(func_name, None)` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet # Override model_config to disable the use of `.env` files for reading settings, because user projec... Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `time.sleep(0.1)` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `:param cwd: the working directory to execute the command in. If None, the project root will be used.` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `Provides instructions for preparing for a new conversation (in order to continue with the necessary ...` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence medium Rule ID MCP-G004
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `Instructions for preparing for a new conversation. This tool should only be called on explicit user ...` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence medium Rule ID MCP-G004
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Should only be used in settings where the system prompt is not read automatically by the client.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `# If we can't read the file, return an empty spec` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Module reload without integrity verification	L Lifecycle	—	—
Description Module reload without integrity verification Code Snippet `def reload(self) -> None:` Remediation Verify module hash/signature before reloading; implement integrity checks for hot reload Confidence medium Rule ID MCP-L003
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `:param cwd: The working directory to execute the command in. If None, the current working directory ...` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `from overrides import override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `response = requests.get(url, headers=headers, stream=True, timeout=300)` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `url = f"https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-dynamics-smb/vsextensions/al/{AL_VERSION}/vspackage"` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Override to handle AL's requirement of opening files before requesting symbols.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Override to use AL's custom gotodefinition command.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Potential timing-based covert channel detected	M Hidden Network	—	—
Description Potential timing-based covert channel detected Code Snippet `time.sleep(0.5)` Remediation Review sleep/delay patterns for data-dependent timing; normalize timing behavior Confidence low Rule ID MCP-M002
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Override to normalize AL symbol names by stripping object type and ID metadata.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Override to inject original AL object name (with type and ID) into hover responses.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Allows override via ls_specific_settings[language].ls_path.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Override to add --compile-commands-dir argument if we created a serena compilation database.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `url=f"{clojure_lsp_releases}/clojure-lsp-native-macos-aarch64.zip",` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `:param overrides: List of dictionaries which represent overrides or additions to the base dependenci...` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `You can pass a list of runtime dependency overrides in ls_specific_settings["csharp"]["runtime_depen...` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Override to normalize Roslyn symbol names and cache originals.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Override to inject original Roslyn symbol names (with type annotations) into hover responses.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# Filter out deprecated DotNetRuntime overrides and warn users` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `gradle_java_home: "/path/to/jdk" # set to override Gradle's JDK` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `url=f"https://github.com/elixir-lang/expert/releases/download/{EXPERT_VERSION}/expert_windows_amd64.exe",` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `from overrides import override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Extended prompt injection pattern detected	G Tool Poisoning	—	—
Description Extended prompt injection pattern detected Code Snippet `# May be related to the time it takes to read the files or something like that.` Remediation Review and remove suspicious instruction patterns from tool descriptions and code Confidence high Rule ID MCP-G004
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# -Xmx2G: 2GB heap is sufficient for most projects; override via ls_specific_settings for large code...` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `kotlin_url = f"https://download-cdn.jetbrains.com/kotlin-lsp/{kotlin_lsp_version}/kotlin-lsp-{kotlin_lsp_version}-{kotlin_suffix}.zip"` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `download_url = f"https://github.com/LuaLS/lua-language-server/releases/download/{lua_ls_version}/{download_name}"` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `url=f"{marksman_releases}/marksman-linux-arm64",` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `@override` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `- matlab_path: Path to MATLAB installation (overrides MATLAB_PATH env var)` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Outbound connection to dynamically constructed URL	M Hidden Network	—	—
Description Outbound connection to dynamically constructed URL Code Snippet `response = requests.get(url, headers=headers, stream=True, timeout=300)` Remediation Use allowlist for outbound connections; declare all endpoints in manifest; avoid dynamic URL construction Confidence medium Rule ID MCP-M003
high	—	Module path manipulation with user input	L Lifecycle	—	—
Description Module path manipulation with user input Code Snippet `node_path = shutil.which("node")` Remediation Validate and sanitize module paths; use allowlists for permitted module directories Confidence medium Rule ID MCP-L004
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `Override to normalize MATLAB symbol names.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `# Override to extend Nix symbol ranges to include trailing semicolons.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `- fpc_target_cpu: Override target CPU (e.g., "i386", "x86_64", "aarch64"). Sets FPCTARGETCPU.` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
high	—	ML classifier detected prompt injection pattern	G Tool Poisoning	—	—
Description ML classifier detected prompt injection pattern Code Snippet `f"STRUCTURE ERROR: Key set mismatch for method '{expected_method}'.\n" f"Expected keys: ...` Remediation Review and sanitize the detected text for potential injection attempts Confidence medium Rule ID MCP-ML-001
high	—	ML classifier detected prompt injection pattern	G Tool Poisoning	—	—
Description ML classifier detected prompt injection pattern Code Snippet `f"{req_id} VIOLATED: {method} method MUST omit params field entirely.{input_note}\n" f"E...` Remediation Review and sanitize the detected text for potential injection attempts Confidence medium Rule ID MCP-ML-001
high	—	Tool description contains prompt injection markers	G Tool Poisoning	—	—
Description Tool description contains prompt injection markers Code Snippet `"""Exclude should override include if both match."""` Remediation Remove suspicious instructions from tool descriptions Confidence medium Rule ID MCP-G001
medium	—	Tool description contains suspicious Unicode characters	G Tool Poisoning	—	—
Description Tool description contains suspicious Unicode characters Code Snippet `this.$themeIcon.text('☀️');` Remediation Remove Unicode control characters and confusables Confidence high Rule ID MCP-G002
medium	—	Tool description contains suspicious Unicode characters	G Tool Poisoning	—	—
Description Tool description contains suspicious Unicode characters Code Snippet `click.echo("⚠️ Health check completed with warnings - Check log for details")` Remediation Remove Unicode control characters and confusables Confidence high Rule ID MCP-G002
medium	—	Tool description contains suspicious Unicode characters	G Tool Poisoning	—	—
Description Tool description contains suspicious Unicode characters Code Snippet `print(f"⚠️ Warning: Dependencies installation failed with exit code {deps_result.returncode}")` Remediation Remove Unicode control characters and confusables Confidence high Rule ID MCP-G002
medium	—	Tool description contains suspicious Unicode characters	G Tool Poisoning	—	—
Description Tool description contains suspicious Unicode characters Code Snippet `print(f"⚠️ Warning: Dependencies installation failed with exit code {deps_result.returncode}")` Remediation Remove Unicode control characters and confusables Confidence high Rule ID MCP-G002
medium	—	Multiple WebSocket connections or relay pattern detected	M Hidden Network	—	—
Description Multiple WebSocket connections or relay pattern detected Code Snippet `this.ws = new WebSocket("ws://localhost:4402");` Remediation Limit WebSocket connections; document all WebSocket endpoints; avoid relay patterns Confidence medium Rule ID MCP-M004

MCP Surface Analysis

Attack Surface Analysis

Declared capabilities, transport security, and authentication posture

Tools

Resources

Transport

http

Auth

Not detected

Detected Capabilities

Inferred system access requirements from static analysis

8 checked

Declared Tools

22 total

execute_task low

tool_is_active low

get_tool low

run_gui low

run_in_thread low

execute_task low

execute_shell_command low

execute_with_timeout low

run_command low

_response_handler low

_request_handler low

_notification_handler low

code_action low

resolve_code_action low

execute_command low

code_action low

resolve_code_action low

execute_command low

create_launch_command low

run_user_operations low

run_item_operations low

run_test low

Resources

0 total

No resources detected

This server does not expose any data resources

Transport Security

Insecure

Type: http
Protocol: Not detected
TLS / Encryption: Not Enabled

Authentication & Secrets

Authentication: Not Detected
Token in Environment: No
Secrets Detected: None Detected

No authentication mechanism detected. This server may accept unauthenticated connections.

OWASP MCP Top 10 (2025)

Risk assessment mapped to OWASP MCP security framework v0.1

OWASP Reference

Risk ID	Risk Name	Status	Related Controls	Findings
MCP01	Token Mismanagement & Secret Exposure Hard-coded credentials, long-lived tokens, secrets in logs	Mitigated	3/3 controls pass	0
MCP02	Privilege Escalation via Scope Creep Weak scope enforcement, expanding permissions	Mitigated	1/1 controls pass	0
MCP03	Tool Poisoning Rug pulls, schema poisoning, tool shadowing	Vulnerable	1/2 controls pass	97
MCP04	Software Supply Chain Attacks Dependency tampering, build pipeline attacks	Mitigated	3/3 controls pass	0
MCP05	Command Injection & Execution Shell injection, chained execution, tool-mediated injection	Vulnerable	1/2 controls pass	60
MCP06	Prompt Injection via Contextual Payloads Hidden instructions in input, files, or retrieved documents	At Risk	3/4 controls pass	0
MCP07	Insufficient Authentication & Authorization Missing auth, shared secrets, token replay, impersonation	Not Assessed	No mapped controls	0
MCP08	Lack of Audit and Telemetry Insufficient logging, no traceability for autonomous workflows	Mitigated	1/1 controls pass	6
MCP09	Shadow MCP Servers Unauthorized instances outside security governance	Vulnerable	No mapped controls	27
MCP10	Context Injection & Over-Sharing Context window leaks, data exposure across sessions	Mitigated	2/2 controls pass	0

Based on OWASP MCP Top 10 v0.1 (2025). Controls and findings are mapped by category and keyword analysis.

190 total findings analyzed

Compliance Matrix

Level 0: Integrity Verified

Cert Level 0

Basic digest and schema validation only. No static analysis passed.

Next level requirements: Score ≥ 60, no critical findings, pass Level 1 controls

MSSS — MCP Server Security Standard

Certification level progression and control requirements · Score: 5/100 (Not Compliant)

MSSS Reference

Integrity Baseline

Static Verified Score ≥ 60

Security Certified Score ≥ 80

Runtime Certified Score ≥ 90

Level 1 -- Static Verified

22/26

Basic analysis, score ≥ 60, no critical findings

84%

No Critical Vulnerabilities
No High Vulnerabilities
No Secrets in Code
No SQL Injection
No Command Injection
No Path Traversal
No Insecure Deserialization
No XSS Vulnerabilities
Secure Cryptography
No Hardcoded Credentials
Compatible License
No Copyleft License
No Deprecated Dependencies
Pinned Dependencies
Known Supply Chain
Code Quality
Error Handling
Input Validation
Logging
No Prompt Injection
No Tool Poisoning
No Remote Code Execution
No SSRF or Data Exfiltration
No Privilege Escalation
No Cross-Tool Data Leakage
No Hidden Network Channels

Level 2 -- Security Certified

0/0

Full analysis, score ≥ 80, SBOM evidence required

Level 3 -- Runtime Certified

0/0

Score ≥ 90, dynamic analysis, full attestation chain

MSSS Controls Detail

Individual control results grouped by security category

Control	Status	Severity	Evidence
No Critical Vulnerabilities SEC-001	PASS		Control passed: No significant issues found
No High Vulnerabilities SEC-002	PASS		Control passed: No significant issues found
No Secrets in Code SEC-003	PASS		Control passed: No significant issues found
No SQL Injection SEC-004	FAIL	CRITICAL	Control failed: 52 findings found, score 50.0
No Command Injection SEC-005	PASS		Control passed: No significant issues found
No Path Traversal SEC-006	PASS		Control passed: No significant issues found
No Insecure Deserialization SEC-007	PASS		Control passed: No significant issues found
No XSS Vulnerabilities SEC-008	PASS		Control passed: No significant issues found
Secure Cryptography SEC-009	PASS		Control passed: No significant issues found
No Hardcoded Credentials SEC-010	PASS		Control passed: No significant issues found
Compatible License SC-001	PASS		Control passed: No significant issues found
No Copyleft License SC-002	PASS		Control passed: No significant issues found
No Deprecated Dependencies SC-003	PASS		Control passed: No significant issues found
Pinned Dependencies SC-004	PASS		Control passed: No significant issues found
Known Supply Chain SC-005	PASS		Control passed: No significant issues found
Code Quality MAT-001	PASS		Control passed: No significant issues found
Error Handling MAT-002	PASS		Control passed: No significant issues found
Input Validation MAT-003	PASS		Control passed: No significant issues found
Logging MAT-004	PASS		Control passed: No significant issues found
No Prompt Injection SEC-011	PASS		Control passed: No significant issues found
No Tool Poisoning SEC-012	FAIL	CRITICAL	Control failed: 97 findings found, score 50.0
No Remote Code Execution SEC-013	FAIL	CRITICAL	Control failed: 8 findings found, score 50.0
No SSRF or Data Exfiltration SEC-014	PASS		Control passed: No significant issues found
No Privilege Escalation SEC-015	PASS		Control passed: No significant issues found
No Cross-Tool Data Leakage SEC-016	PASS		Control passed: No significant issues found
No Hidden Network Channels SEC-017	FAIL	HIGH	Control failed: 27 findings found, score 50.0

Details

Repository: https://github.com/oraios/serena
Sprache
Lizenz
Neueste Version: commit-6a798ef-2026-03-01
Zuletzt aktualisiert: Mar 1, 2026

Score Badge

Add this badge to your README.

[![MCP Hub](https://mcp-hub.info/badge/_/serena.svg)](https://mcp-hub.info/mcp/_/serena)

Capabilities

Filesystem Network Command Execution Code Evaluation Database Secrets LLM Access Environment

View full details →

Versionen

Analysis Metadata

Toolchain Version: mcp-scan:1.0.0
Analyzed: 2026-02-25 23:29:12

Schnellinstallation

Integrity Verified

Not Recommended for Production

Vulnerability Summary

Score Breakdown

OWASP MCP Top 10 View full details →

MSSS Certification Level

Sicherheitskontrollen

Other Controls

Security Findings

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description

Code Snippet

Remediation

Description