Skills
NYC
skills/ovachiever/droid-tings/uv-package-manager/Gen Agent Trust Hub

uv-package-manager

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTION
Full Analysis
  • Unverifiable Dependencies & Remote Code Execution (CRITICAL): The skill uses an insecure piped-to-shell execution method to download and run a script from a remote URL.
  • Evidence: Automated detection of curl -LsSf https://astral.sh/uv/install.sh | sh.
  • Risk: This pattern executes remote code without version pinning or integrity validation. Since the source domain astral.sh is not on the designated trusted list, this behavior is classified as CRITICAL. Piped remote execution allows a remote server to run arbitrary commands on the system, posing a severe security threat.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 17, 2026, 05:56 PM