uv-workflow
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): No malicious behavior detected. The skill consists of instructional markdown files detailing the use of the uv package manager.
- [CREDENTIALS_UNSAFE] (SAFE): No hardcoded secrets were found. The skill correctly demonstrates the use of environment variable placeholders like $PYPI_TOKEN for publishing operations.
- [COMMAND_EXECUTION] (SAFE): Command examples (e.g., uv run, uv sync, uvx) are standard for the tool's intended purpose and do not execute untrusted or obfuscated strings.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill enables an agent to interact with Python project configuration files (pyproject.toml, uv.lock), which is an inherent attack surface for development tools but is not exploited here. Evidence Chain: 1. Ingestion point: pyproject.toml, uv.lock. 2. Boundary markers: Absent. 3. Capability inventory: uv run, uv sync, uvx. 4. Sanitization: Absent.
Audit Metadata