python-packaging-uv
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Command Execution] (SAFE): The skill utilizes standard uv CLI commands to build and publish packages. These commands are restricted to the tool's primary purpose and do not exhibit dangerous or arbitrary execution patterns.
- [Credentials Unsafe] (SAFE): No hardcoded credentials were detected. The skill correctly instructs the user to use environment variables ($PYPI_TOKEN, $TEST_PYPI_TOKEN) for repository authentication.
- [Indirect Prompt Injection] (LOW): The skill processes project configuration files (like pyproject.toml) through the build process. While this is an ingestion point for untrusted data, it is a standard and necessary function of packaging tools. Evidence: Ingestion points (local project directory), Boundary markers (none, standard file formats), Capability inventory (uv build, uv publish), Sanitization (handled by the uv tool itself).
Audit Metadata