The only vulnerability introduced by the servers at keybase is denial of service. I believe the protocol and clients are open source and there is no need to trust their servers for the key distribution part either (keys are cryptographically verified from a variety of sources like DNS, Twitter, Reddit, HN for each recipient)