uv-package-manager

The uv-package-manager skill is primarily a comprehensive guide for a Python-focused package manager with strong install-from-URL patterns. While the documented capabilities are aligned with its stated purpose, the dominant security concern is the use of direct remote script execution (curl | sh and remote PowerShell) to install software, plus unverifiable binaries and Git/ghcr.io-based distributions. These supply-chain and remote-execution patterns create non-trivial risk if the script sources are compromised or if the binaries are not verifiably signed. In a security-conscious setting, the skill should be treated as SUSPICIOUS due to its download-execute patterns and unverifiable install sources, unless mitigations such as signed releases, pinning, checksums, and in-repo verification are clearly enforced.