Oathe Security Badge

Is Pantheon-Security/medusa safe?

https://github.com/Pantheon-Security/medusa

91
SAFE

Pantheon-Security/medusa is a legitimate Python AI security scanner targeting MCP servers, agentic pipelines, and coding editor attack surfaces. The repository contains no SKILL.md, no root-level npm install scripts, no git hooks, and exhibited clean network behavior limited to GitHub during clone. The primary risk is a test fixture package.json containing a functional ANTHROPIC_API_KEY exfiltration command, which exists as intentional test data for validating the scanner's supply chain detection capabilities and is confirmed detected by the project's own test suite.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 92/100 · 5%

Findings (7)

HIGH Test fixture package.json exfiltrates ANTHROPIC_API_KEY via npm preinstall -15

The file tests/fixtures/malicious_repo/package.json contains a syntactically valid npm preinstall lifecycle hook that would send $ANTHROPIC_API_KEY to an external attacker endpoint if npm install were run in that directory. This is test data for the scanner's supply chain detection capabilities, but the command is real and executable.

MEDIUM Functional shell commands in malicious_repo test fixtures -8

Multiple test fixture files under tests/fixtures/malicious_repo/ contain live shell commands including SSH key exfiltration via curl, silently-executed scripts, and credential harvesting via AWS CLI. These are intentional scanner test vectors but represent real executable code bundled in the repository.

LOW Additional credential exfiltration patterns across fixture files -5

Fixture files include curl commands targeting ~/.aws/credentials with base64 encoding, include-SSH-key-in-every-response instructions, and wget POST file exfiltration. All are in the explicitly labeled malicious_repo test fixture directory.

LOW Malicious AI context files in test fixtures -4

The repository bundles malicious .cursorrules, .clinerules, and copilot-instructions.md files as test fixtures. While clearly labeled as test data under tests/fixtures/malicious_repo/, these files contain functional prompt injection payloads (ignore-previous-instructions, security bypass, jailbreak patterns) verified by the scanner's own test suite.

LOW Security scanner with embedded attack corpus carries inherent dual-use risk -8

Medusa is a legitimate defensive security tool, but its comprehensive attack fixture library and scanner codebase covering jailbreaking, prompt injection, MCP vulnerabilities, and exfiltration patterns represent dual-use capability. The project demonstrates responsible security research practices with clear test labeling and false-positive management.

INFO Clean network behavior — GitHub-only connection -3

The clone process established exactly one external connection to GitHub (140.82.121.3:443) with no post-clone network activity to any other host. No DNS queries to attacker-controlled domains, no telemetry, no beacon callbacks.

INFO All canary files intact — pre-clone access attributed to audit framework 0

Filesystem events show canary file access at 22:25:40, six seconds before the git clone began at 22:25:46. This timing definitively places the access within the Oathe audit framework's own initialization phase. The honeypot integrity check confirms all files are unmodified.