uv-package-manager
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (HIGH): The skill pipes a remote script from
https://astral.sh/uv/install.shdirectly into the shell (| sh). This executes unverified code and is a high-risk pattern. - External Downloads (HIGH): The script is downloaded from
astral.sh, which is not on the trusted organizations list provided in the security guidelines. - Command Execution (HIGH): Using shell pipes to install software from the internet is a high-severity practice that bypasses integrity checks.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata