astral-uv
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- EXTERNAL_DOWNLOADS (SAFE): The skill provides instructions for installing Python packages from PyPI using
uv. This is the intended purpose of the tool. The skill includes explicit security warnings about running unknown tools viauvx. - COMMAND_EXECUTION (SAFE): The skill instructs the agent on how to use
uvfor environment management and script execution. These commands are standard for the tool and do not involve unauthorized privilege escalation or persistence. - DATA_EXPOSURE (SAFE): No patterns of sensitive data access (like SSH keys or AWS credentials) or exfiltration were found. The skill only interacts with project-specific configuration files like
pyproject.tomlanduv.lock. - INDIRECT_PROMPT_INJECTION (SAFE): While the skill involves processing external configuration files (e.g.,
uv.lock), it does not establish any unsafe data interpolation patterns that would allow for indirect injection. The usage is restricted to standard package management workflows.
Audit Metadata