uv-ci-cd-integration

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] This skill is largely coherent with its stated purpose (integrating the 'uv' tool into CI/CD and Docker workflows). However, it contains high-risk supply-chain patterns: curl | sh remote installer and examples that use unpinned 'latest' container images. Those patterns enable arbitrary code execution on CI runners and make credential-forwarding to newly installed binaries risky. There is no evidence in the provided text of deliberate malware or credential exfiltration code, but the download-and-execute instructions and unpinned artifacts raise a medium-high supply-chain security risk. Recommend pinning versions, avoiding pipe-to-shell in favor of verified installers or package manager installs, and exercising caution when forwarding secrets to newly installed tools. LLM verification: This skill documentation is operationally useful and not itself malicious, but it contains multiple high-risk supply-chain patterns (curl | sh installer execution, unpinned container image tags, and writing externally fetched docs into CI configurations without verification). These patterns substantially increase the chance of arbitrary code execution and credential exfiltration if upstream assets are compromised. Recommend updating the documentation to require integrity verification of installe