uv-package-manager
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The skill provides commands for installing Python packages via
uv addanduv sync. While this involves downloading external code, it is the primary and intended purpose of a package manager skill. The examples provided use well-known, legitimate packages like 'requests', 'fastapi', and 'pytest'. - [COMMAND_EXECUTION] (SAFE): The skill includes instructions for
uv run, which executes local Python scripts or installed tools. This is a standard and necessary function for a development tool skill. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill has an attack surface for indirect prompt injection as it processes external files such as
pyproject.toml,requirements.txt, and Git repositories. - Ingestion points:
SKILL.md(via instructions to processpyproject.tomlandrequirements.txt). - Boundary markers: Absent in the instructions; the skill relies on the agent's default processing of these file types.
- Capability inventory: Includes subprocess execution (
uv run), package installation (uv add), and network operations (uv sync). - Sanitization: Relies on the underlying
uvtool's verification of package integrity and lock files.
Audit Metadata