uv-package-manager

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] command_injection: PowerShell execution detected (CI005) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) BENIGN: The fragment is a documentation/skill description for uv and does not contain executable code or covert data flows. Installation instructions reference external scripts but are standard for distribution. Primary risk concerns are standard supply-chain due-diligence checks (verify domain authenticity and repository provenance) rather than inherent malicious capability within the fragment. LLM verification: The file is documentation for 'uv' and does not contain executable or obfuscated malicious code. The principal security concern is operational: the documentation recommends high-risk install patterns (pipe-to-shell and PowerShell iex), unpinned package installations, and installing directly from git — all of which increase supply-chain attack surface. Treat these instructions as potentially dangerous if followed without verification. Mitigations: require manual inspection of remote scripts, pref