uv-package-manager
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill executes a remote script from https://astral.sh/uv/install.sh by piping it directly into the shell (sh). This method of execution is inherently dangerous as it prevents the user or security tools from auditing the script content before it runs on the host system.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The installer is fetched from an external domain (astral.sh) that is not part of the pre-approved trusted organizations list, increasing exposure to supply chain attacks.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata