Yggdrasil logoYggdrasilPublic Catalog

Security Policy

Last updated: April 2026

Overview

Yggdrasil combines automated AI analysis with human curator review to produce safety ratings for open source repositories. Every project in the catalog has been through this two-stage process before being published. This page explains how that process works.

Stage 1 — AI Analysis

When a repository is submitted for review, Yggdrasil runs an automated analysis powered by Claude (Anthropic). The model examines publicly available signals including:

  • Repository description, README, and documentation
  • Declared dependencies and known vulnerability history
  • Maintenance activity, contributor patterns, and release cadence
  • Licensing and supply-chain indicators
  • Community trust signals (stars, forks, issue responsiveness)

The AI produces an initial safety rating and a structured list of security findings. This output is never published directly — it feeds into Stage 2.

Stage 2 — Curator Review

Every AI analysis is reviewed by a human curator before the project appears in the catalog. Curators verify AI findings, apply contextual judgement, and may override or annotate the AI-assigned rating. Projects with a Unsafe or Caution rating receive additional scrutiny before publication.

Safety Ratings

Each published project carries one of three ratings:

Safe

No significant security concerns identified. The project follows reasonable maintenance and dependency hygiene practices.

Caution

One or more concerns were found that warrant attention before adoption. Review the security findings before integrating this project.

Unsafe

Serious concerns were identified. Use of this project in production environments is not recommended without a thorough independent review.

Scope and Limitations

Our analysis is based on publicly available information at the time of review. It is not a comprehensive security audit. In particular:

  • We do not perform dynamic analysis or fuzzing
  • We do not review private forks or proprietary extensions
  • Ratings reflect a point-in-time snapshot — repositories change
  • AI analysis may miss novel or obfuscated threat patterns

Ratings are updated periodically but are not real-time. A Safe rating today does not guarantee safety tomorrow.

Reporting a Concern

If you believe a project has been misrated, or you have identified a security issue with a listed project, please contact us at security@yggdrasil.help. We review all reports and update ratings when warranted.