uv-package-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (CRITICAL): The skill contains the command
curl -LsSf https://astral.sh/uv/install.sh | sh. This is a high-risk pattern that executes remote code without any verification or inspection, potentially allowing an attacker to compromise the agent's host system.\n- External Downloads (HIGH): The skill fetches content fromastral.sh. Since this domain is not on the predefined list of trusted external sources, the automated execution of its content is treated as a high-severity risk.\n- Command Execution (HIGH): The use ofshto execute the output of a network request provides a direct path for external scripts to run commands with the privileges of the agent process, representing a significant security boundary violation.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://astral.sh/uv/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata