Skills
skills/cuba6112/skillfactory/uv-advanced/Gen Agent Trust Hub

uv-advanced

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (HIGH): The documentation in references/docker.md provides an installation pattern that downloads a shell script from https://astral.sh/uv/install.sh. While this is the official source for the tool, the domain astral.sh is not included in the explicitly trusted source list, making the download and subsequent execution a high-risk pattern under an 'assume-malicious' posture.
  • REMOTE_CODE_EXECUTION (HIGH): Several reference files (references/projects.md, references/pip-interface.md) describe workflows for adding and installing packages from arbitrary remote Git repositories and URLs (e.g., uv add git+https://github.com/org/repo and uv pip install https://...). This allows for the installation and execution of unvetted remote code within the agent's environment.
  • COMMAND_EXECUTION (MEDIUM): The skill documentation promotes the use of uv run and uvx (ephemeral tool execution) to run arbitrary Python packages and CLI tools. These commands represent a significant execution surface, as they can download and run code from external sources in a single step.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:44 PM