uv-package-manager
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Remote Code Execution] (CRITICAL): The skill executes a remote script via a pipe to the shell:
curl -LsSf https://astral.sh/uv/install.sh | sh. This is a high-risk pattern that allows arbitrary code execution on the host system from an external URL.- [External Downloads] (HIGH): The skill downloads and executes scripts fromastral.sh. While this is the official domain for the 'uv' project, it is not included in the specified list of Trusted External Sources, thus it is treated as an untrusted source per policy.- [Command Execution] (MEDIUM): As a package manager skill, the tool is designed to execute system-level commands to manage virtual environments and dependencies, which inherently increases the attack surface if used with malicious inputs.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata