CPAN shouldn't allow modules that have been reliably reported to be buggy or a security risk without being documented as such, but the same goes for any other website with a collection of scripts. If it's not core, it's just another script from someone's website.