uv-python-version-management

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] supply_chain: Reference to external script with install/setup context (SC005) Functionally benign for its stated purpose (managing Python versions) but carries supply-chain risk due to a curl|sh installer pattern and reliance on remote images/binaries without documented integrity checks. No explicit credential harvesting or malicious behavior is present in the documentation. Recommend treating the installer as untrusted until verified (use registry images, pinned versions, checksums, or GPG signatures) and avoid running unverified curl|sh on privileged hosts. LLM verification: The SKILL.md is a correct and practical guide for using uv to manage Python versions, but it explicitly recommends high-risk supply-chain practices (curl ... | sh and unpinned 'latest' artifacts) and does not document integrity verification for installer or downloaded Python distributions. There is no evidence within this document of obfuscated or overtly malicious code, hard-coded credentials, or data-exfiltration instructions. However, following the documented installer pattern could enable ma