python-best-practices
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill encourages the installation of an external package 'ty' using
uv tool install ty. The documentation provided within the skill for this tool contains significant factual inaccuracies regarding its origin and implementation. - [REMOTE_CODE_EXECUTION]: The instructions direct the user to run
uvx ty check, which downloads and executes code from a remote package registry at runtime. This pattern is dangerous when combined with the deceptive claims about the package's provenance. - [COMMAND_EXECUTION]: The skill contains explicit shell commands for installing and running third-party software (
uvx ty check,uv tool install ty) based on misleading descriptions of the software's capabilities and authors. - [METADATA_POISONING]: The 'Optional: ty' section contains deceptive metadata. It falsely attributes the 'ty' tool to Astral (the creators of ruff and uv) and claims it is 'written in Rust' to establish unearned trust. The actual 'ty' package on PyPI is a Python-based wrapper not affiliated with Astral. This deception is a known tactic for tricking users into executing untrusted code.
Audit Metadata