uv-project-migration

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] supply_chain: Reference to external script with install/setup context (SC005) This skill/document is a legitimate-seeming migration guide whose capabilities align with its stated purpose. The main security problem is the unpinned, pipe-to-shell installation instruction (curl ... | sh) which is a high-risk supply-chain pattern: executing a remote script locally can lead to arbitrary code execution, credential theft, or persistence. There is no evidence in the text of direct credential harvesting or embedded malware, so confirmed malware likelihood is low. However the installer pattern raises a moderate-to-high security risk for anyone following the quick-start instructions without verifying the installer. Recommend removing or replacing the curl|sh guidance with a verified installation method (package manager installs, pinned releases, checksums/signatures), and advising users to inspect the installer script before execution. LLM verification: This skill is primarily documentation for migrating Python projects to the 'uv' package manager and is consistent with its stated purpose. There is no direct evidence in the provided content of intentional data exfiltration, backdoors, or obfuscated malicious code. However, the documentation repeatedly recommends a pipe-to-shell installation (curl ... | sh) from https://astral.sh/uv/install.sh. That pattern is a high-confidence supply-chain risk (unverified remote script execution). Recommend tr