Oathe Security Badge

Is lhassa8/veridano-skill safe?

https://github.com/lhassa8/veridano-skill

87
SAFE

This skill appears to be a legitimate cybersecurity intelligence tool that provides access to government security data from CISA, FBI, and NIST. While it accessed sensitive files during installation and depends on an external API endpoint, no actual data exfiltration was detected and the functionality aligns with its stated purpose.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

HIGH External API endpoint dependency -15

The skill makes API calls to an external AWS endpoint (7lqg8v66p1.execute-api.us-east-1.amazonaws.com) which could potentially be used as a data exfiltration or command-and-control channel if compromised.

MEDIUM Accessed sensitive system files -10

During installation, the skill accessed multiple sensitive files including SSH keys, AWS credentials, and environment files. While no exfiltration was detected, this behavior indicates broader system access than expected.

LOW Contains executable Python script -15

The skill includes a Python script (veridano_client.py) that could execute code. However, the script appears legitimate and is a standard HTTP client for the Veridano API.

LOW Third-party service dependency risk -20

The skill's functionality depends entirely on an external third-party service. If this service were compromised, it could potentially be used for malicious purposes including data collection or misinformation.