fastapi-setup

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] This is a legitimate FastAPI project setup guide with normal configuration and testing code. There is no direct malicious logic in the sample application or configuration files. However, the troubleshooting advice includes an unpinned curl|sh installer command (https://astral.sh/uv/install.sh) which is a high-risk supply-chain pattern. Combined with unpinned dependency installation guidance, this elevates the security risk to moderate. Recommend removing or replacing the pipe-to-shell installer with safer, verified installation instructions (checksum/signature verification, package manager path), and ensure developers protect .env files and pin dependencies in reproducible lockfiles. LLM verification: The provided project scaffold and Python code are consistent with a safe FastAPI starter: no direct malicious code, no dynamic evaluation, and no hidden backdoors in the examined files. The main security concern is the documentation's recommendation to install the 'uv' tool via an unverified curl | sh one-liner (https://astral.sh/uv/install.sh), which is a classic supply-chain execution risk. Additional risks include storing plaintext secrets in .env without guidance for secure handling and lack