uv-trusted-publish-github-action
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements secure CI/CD practices by recommending the use of OpenID Connect (OIDC) for authentication with PyPI.
- [EXTERNAL_DOWNLOADS]: The skill references official documentation and repositories from astral-sh (the developers of uv). These are trusted resources used for providing guidance on tool configuration.
- [PROMPT_INJECTION]: The agent is instructed to read repository files such as pyproject.toml and workflow files. Ingestion points: pyproject.toml and GitHub workflow files (SKILL.md). Boundary markers: Absent. Capability inventory: File reading/writing and command execution (uv build). Sanitization: Absent. This analysis identifies the potential for indirect prompt injection via project files, which is an inherent risk factor in development-oriented tasks.
- [COMMAND_EXECUTION]: The skill suggests running uv build to verify packaging readiness, which is a standard procedure in Python development.
Audit Metadata