Skills
skills/cuba6112/skillfactory/uv-advanced/Snyk

uv-advanced

Warn

Audited by Snyk on Feb 16, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill’s documentation and examples show uv fetching and executing content from public, user-controlled sources—e.g., installing packages and git deps from PyPI and GitHub (uv pip install git+https://github.com/...), configuring indexes pointing to pypi.org or arbitrary URLs ([[tool.uv.index]] url = "https://pypi.org/simple"), and running ephemeral tools/HTTP requests (uvx httpie GET https://api.github.com or script examples that call external APIs)—which means the agent may ingest and act on untrusted, third-party content.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 16, 2026, 12:44 PM