python-fastapi

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). http://test is a harmless test/placeholder, but https://astral.sh/uv/install.sh is a direct third‑party shell installer (curl | sh) from an external domain — executing such .sh installers without verifying the source and inspecting the script is high risk and could be used to distribute malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick Setup includes an installation command that downloads and executes remote code (curl -LsSf https://astral.sh/uv/install.sh | sh), and the project workflow depends on the installed "uv" tool to run/manage the app, so this is a high-confidence external fetch that executes remote code.