uv-package-manager

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] command_injection: PowerShell execution detected (CI005) [AITech 9.1.4] This skill is documentation for the 'uv' package manager and is internally consistent with its stated purpose: managing Python dependencies, venvs, and Python versions. No direct malicious code, credential-harvesting instructions, or obfuscated payloads are present in the provided text. However, the install instructions include high-risk patterns: executing remote scripts via 'curl | sh' and PowerShell 'irm | iex', and copying binaries from an external container registry. These download-and-execute patterns are objective supply-chain risks and raise the overall security risk. If users follow the remote install commands they should verify the installer content, prefer installing via official package managers (pip, brew, cargo) or pinned releases, and inspect the remote scripts before executing. Overall: likely benign/documentation but with notable supply-chain risk due to unpinned remote installers. LLM verification: This is documentation for the 'uv' package manager and is not itself malware. However, it includes multiple high-risk supply-chain patterns: unverified remote install scripts executed via pipe-to-shell and unpinned installs/copies of externally published binaries. Those patterns substantially increase supply-chain risk if followed blindly (especially in CI). Recommend treating the install snippets as risky: avoid curl|bash or iex from remote URLs, pin versions/tags/digests, verify checksums, and