arista-cvp

The package/skill appears to be a legitimate community demo for automating Arista CVP via its Resource API, and its capabilities map to the documented endpoints and workflows. However, it contains several severe security and supply-chain shortcomings: TLS verification is reportedly disabled (critical), runtime dependency resolution without pinned locks (supply-chain risk), and use/storage/forwarding of a high-value service account token (CVPTOKEN) in plaintext/.env. The create_tag workflow can make impactful infrastructure changes and should be programmatically gated and audited. No explicit signs of malware were found in the provided material, but the insecure defaults make credential theft and response tampering highly feasible. Before using in production, require: enable TLS validation, adopt pinned dependencies/lockfile and reproducible builds, move credentials to a secrets vault or ensure secure handling, and enforce programmatic gating and thorough audit/logging for write operations.