ClawHub

Serena Openclaw Plugin

WarnAudited by ClawScan on May 13, 2026.

Overview

The plugin matches its stated Serena code-navigation/editing purpose, but it gives agents broad file-editing, shell, and raw MCP access unless users carefully restrict it.

Review before installing. If you use it, configure allowedRoots narrowly, start with readOnly true unless you need edits, avoid raw passthrough and shell tools unless necessary, and use a trusted pinned Serena installation rather than the automatic unpinned uvx GitHub launcher.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High
#ASI02: Tool Misuse and Exploitation
What this means

If enabled, an agent could modify files or run commands through Serena, not just inspect code.

Why it was flagged

The declared contract includes code/file mutation, shell execution, and raw upstream MCP passthrough tools, which are high-impact capabilities beyond simple semantic navigation.

Skill content
"serena_replace_content", "serena_create_text_file", "serena_execute_shell_command", "serena_call_tool"
Recommendation

Use readOnly mode for analysis-only work, avoid passthrough unless needed, configure Serena tool allow/deny lists, and require user review for mutating or shell actions.

High
#ASI08: Cascading Failures
What this means

A mistaken or agent-selected project path could let Serena operate outside the intended code directory.

Why it was flagged

When allowedRoots is omitted or empty, the root-boundary check allows any existing path, so the high-impact Serena tools are not contained to a configured workspace by default.

Skill content
if (allowedRoots.length === 0) {
        return true;
    }
Recommendation

Set allowedRoots to the smallest necessary directories before enabling the plugin, and consider readOnly mode for broad repositories.

Medium
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Your agent may execute Serena code fetched from GitHub at runtime if a local Serena executable is not used.

Why it was flagged

The automatic launcher can run Serena through uvx from an unpinned GitHub source. This is disclosed and purpose-aligned, but the upstream code/version can change.

Skill content
"--from",
        "git+https://github.com/oraios/serena",
        "serena",
Recommendation

Prefer a trusted, pinned Serena installation or configure command/args explicitly to a reviewed local binary.

Medium
#ASI03: Identity and Privilege Abuse
What this means

Any credentials present in the OpenClaw environment become available to the Serena backend process.

Why it was flagged

The launched Serena subprocess receives the full OpenClaw process environment plus configured environment variables, which may include tokens or other secrets.

Skill content
env: {
                    ...process.env,
                    ...config.env,
                    SERENA_PROJECT_ROOT: projectRoot,
                }
Recommendation

Run the gateway with a minimal environment and only use a Serena launcher you trust.

Info
#ASI10: Rogue Agents
What this means

Serena sessions can remain active after a single tool call until they time out or the service stops.

Why it was flagged

The plugin keeps Serena sessions cached for reuse and cleans them up after an idle timeout, which is purpose-aligned but means backend processes may persist during gateway operation.

Skill content
sessions = new Map();
...
if (idleMs > this.config.idleTimeoutSec * 1000) {
                this.sessions.delete(projectRoot);
                void session.stop();
            }
Recommendation

Keep idleTimeoutSec and maxSessions conservative, and use the provided status/restart controls to monitor active sessions.