astral-uv
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill identifies a significant indirect prompt injection surface by instructing the agent to act on untrusted data from the local environment and external registries.
- Ingestion points: The skill triggers on external configuration files (
pyproject.toml,requirements.txt) and user-provided script names or package strings. - Boundary markers: Absent. There are no instructions or delimiters provided to guide the agent in isolating untrusted data from its core instructions.
- Capability inventory: The agent can execute arbitrary Python code (
uv run) and modify the system or virtual environment (uv add,uv sync,uv pip install). - Sanitization: Absent. No auditing or validation steps are defined for verifying the integrity of scripts or package sources before execution.
- COMMAND_EXECUTION (HIGH): The skill grants the agent the ability to execute powerful shell commands. If an attacker can manipulate input variables like
<pkg>or<script.py>, they can achieve arbitrary command injection on the host system. - REMOTE_CODE_EXECUTION (HIGH): By allowing the installation of packages from unverified sources and immediately running them or their associated setup scripts, the skill creates a path for remote code execution.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill facilitates the download and installation of unverified dependencies from external repositories. While standard for package managers, the lack of restriction to 'Trusted External Sources' maintains the risk at a MEDIUM level.
Recommendations
- AI detected serious security threats
Audit Metadata