Serena MCP

v2026.6

Oraios AI

MCPcoding-agentlanguage-serversemantic-coderefactoring

Strong

About This MCP

Open-source semantic coding toolkit from Oraios AI that turns any MCP-capable agent into an IDE-grade coding assistant. Uses language servers (LSP) for symbol-level code navigation and editing — find_symbol, find_referencing_symbols, precise symbol edits — plus project memory and shell execution. High-privilege local tooling: full filesystem and shell access.

Last Evaluated: June 10, 2026

Official Website

Trust Vector Analysis

Dimension Breakdown

🚀Performance & Reliability

symbol resolution accuracy

Accuracy testing of symbol resolution and reference finding against IDE ground truth in multi-file projects

Evidence

Serena README — Symbol lookup and reference finding are backed by real language servers (LSP), giving compiler-grade accuracy for find_symbol and find_referencing_symbols across many supported languages

highVerified: 2026-06-10

operation success rate

Hands-on testing of symbolic read/edit operations across project states

Evidence

Serena tool suite — Symbol-level editing operations (insert/replace at symbol granularity) succeed reliably when the language server has indexed the project; failures cluster around partially-indexed or syntactically broken code

mediumVerified: 2026-06-10

language server stability

Review of reported language-server issues and stress testing on large repositories

Evidence

Serena issue tracker — Stability varies by language server implementation; large projects can hit slow startup indexing, and some language servers occasionally require restart — a known operational caveat

mediumVerified: 2026-06-10

error recovery

Error-path testing including LSP crashes, unindexed files, and invalid edits

Evidence

Serena implementation — Tool failures return descriptive errors; language servers can be restarted via tooling, and the onboarding/memory system helps agents re-establish context after failures

mediumVerified: 2026-06-10

large project handling

Token-efficiency and navigation testing on repositories with 100k+ lines

Evidence

Serena design documentation — Symbol-level navigation reads only relevant code instead of whole files, keeping token usage low on large codebases — a key advantage over grep/read-based agents

mediumVerified: 2026-06-10

🛡️Security

shell execution risk

Capability analysis of shell execution tooling and its abuse potential under prompt injection

Evidence

Serena tool suite — execute_shell_command runs arbitrary shell commands with the user's privileges — effectively a full local code-execution surface; can be disabled via tool configuration/modes but is enabled in typical agent setups

highVerified: 2026-06-10

filesystem access risk

Analysis of file read/write tool boundaries and project-scoping enforcement

Evidence

Serena project configuration — Read/write access across the activated project directory, including config files and anything reachable by relative paths; project activation provides scoping but enforcement is application-level, not sandboxed

highVerified: 2026-06-10

sandboxing isolation

Review of process isolation, privilege boundaries, and available containment options

Evidence

Serena runtime model — Runs as a local Python process (uvx/uv) with no OS-level sandbox; combined with shell execution, a hijacked agent inherits the full local user privilege. Containerized deployment is possible but not the default

highVerified: 2026-06-10

credential exposure risk

Analysis of secret-reachability via file and shell tools

Evidence

Serena architecture — Server itself requires no credentials, but filesystem and shell access mean local secrets (.env files, SSH keys, tokens) are readable if the agent is steered to do so

mediumVerified: 2026-06-10

unauthorized action risk

Authorization boundary analysis of write and execution tools, including available mode-based restrictions

Evidence

MCP security guidance — Code edits and shell commands can alter or destroy local state and reach the network; Serena's modes/contexts can restrict tool availability, and host-level approval remains the main guardrail for destructive actions

mediumVerified: 2026-06-10

🔒Privacy & Compliance

code exposure

Data flow analysis of tool outputs to the LLM provider

Evidence

MCP data flow architecture — Symbol contents, file excerpts, and shell output are sent to the LLM provider as tool results; symbol-level reads expose less code per call than whole-file approaches but private code still leaves the machine

highVerified: 2026-06-10

sensitive data protection

Privacy controls assessment of file-content handling

Evidence

Serena repository — No built-in secret detection or redaction; .env files, keys, and credentials in the project tree can be read and forwarded to the LLM if requested

mediumVerified: 2026-06-10

local data control

Review of local execution model, memory storage, and data residency

Evidence

Serena architecture — Fully local operation: no hosted backend, no vendor telemetry; project memories are stored as plain local files (.serena directory) the user can inspect and delete

highVerified: 2026-06-10

third party data sharing

Data sharing pathway analysis

Evidence

Serena documentation — No data is sent to Oraios AI or any third party by the server itself; the only outbound data flow is tool results to the user's chosen LLM provider

highVerified: 2026-06-10

👁️Trust & Transparency

documentation quality

Documentation completeness and accuracy review

Evidence

Serena README and docs — Detailed README covering installation (uvx/uv), client integration, modes/contexts, tool list, supported languages, and project onboarding; active changelog

highVerified: 2026-06-10

open source transparency

Source code and license review

Evidence

GitHub repository — Fully open source under MIT with no proprietary backend — the entire stack including language-server orchestration is auditable

highVerified: 2026-06-10

operation visibility

Logging and observability assessment including the built-in dashboard

Evidence

Serena tooling — All operations are explicit named tool calls visible in MCP host logs; an optional local dashboard/log window shows server activity, though shell command side effects are only as visible as their output

mediumVerified: 2026-06-10

project memory transparency

Review of memory persistence format, location, and influence on agent sessions

Evidence

Serena memory system — Project memories are human-readable markdown files stored in the repository's .serena directory — fully inspectable and editable, though persistent memories can silently shape future agent behavior if unreviewed

highVerified: 2026-06-10

⚙️Operational Excellence

ease of setup

Setup complexity assessment including language-server prerequisites

Evidence

Serena installation docs — One-liner via uvx serena (PyPI serena-agent), but requires Python/uv tooling plus per-language language servers; initial project indexing and onboarding add friction versus zero-config servers

highVerified: 2026-06-10

performance

Latency and token-efficiency benchmarking on indexed projects

Evidence

Serena design documentation — Symbol-level operations are fast after indexing and dramatically cheaper in tokens than whole-file reads; first-run language-server indexing on large projects can take minutes

mediumVerified: 2026-06-10

feature coverage

Feature completeness assessment against IDE-grade coding-agent needs

Evidence

Serena tool suite — Comprehensive coding toolkit: symbol search/references, symbol-level editing, pattern search, file operations, shell execution, project memory, and onboarding — spanning 20+ languages via LSP

highVerified: 2026-06-10

community adoption

Adoption metrics and community-activity analysis

Evidence

GitHub API — 25,204 stars as of 2026-06-10; widely adopted as a free, open-source way to add semantic code tools to Claude, and other MCP-capable agents

highVerified: 2026-06-10

maintenance activity

Commit frequency and release-cadence analysis

Evidence

GitHub repository activity — Very active development by Oraios AI with frequent releases, expanding language support, and responsive issue triage

highVerified: 2026-06-10

Strengths

+Language-server (LSP) backbone gives compiler-grade symbol navigation and references
+Symbol-level reading/editing slashes token usage on large codebases versus whole-file approaches
+Fully open source (MIT), fully local — no hosted backend, no telemetry, no API costs
+Project memory system persists codebase knowledge across sessions as inspectable markdown
+Broad language coverage (20+ languages) and active maintenance (25.2k stars)
+Modes/contexts allow restricting the tool surface, including disabling shell execution

Limitations

!Shell execution plus filesystem write access make it effectively full local code execution — high-privilege tooling that must be treated like granting terminal access
!No OS-level sandboxing by default; a prompt-injected agent inherits full user privileges
!No secret detection — local .env files, keys, and tokens are reachable and forwardable to the LLM
!Language-server stability and first-run indexing time vary by language and project size
!Setup requires Python/uv tooling and per-language language servers — more friction than npx-based servers
!Persistent project memories can silently steer future sessions if not reviewed

Metadata

license: MIT

supported platforms

0: macOS, Linux, Windows with Python 3.11+ (uv/uvx)

programming languages

0: Python

mcp version: 1.0

github repo: https://github.com/oraios/serena

github stars: 25204

package: serena-agent (PyPI)

api dependency: Local language servers (LSP) per language

authentication: None required (local operation)

first release: 2025-04

maintained by: Oraios AI

status: Active

privilege level: High - local filesystem write and shell command execution

transport types

0: stdio

1: sse

installation methods

0: uvx

1: uv

2: pip

3: docker

Use Case Ratings

code generation

Purpose-built for semantic coding: IDE-grade symbol navigation and precise edits make it one of the strongest free coding-agent toolkits

research assistant

Excellent for exploring and understanding large codebases via symbol-level navigation

education

Good for learning how real codebases are structured, though setup and privilege level need supervision

data analysis

Shell access enables running analysis scripts, but this is incidental rather than a designed capability