uv
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a legitimate documentation resource for the UV tool.
- [EXTERNAL_DOWNLOADS]: The skill references official installation scripts from astral.sh. These sources are well-known and official for the software described, posing no unusual risk.
- [REMOTE_CODE_EXECUTION]: The documentation includes standard commands to install UV by piping scripts from astral.sh to a shell or PowerShell interpreter. These are the recommended installation methods for this trusted utility.
- [COMMAND_EXECUTION]: The skill provides instructions for executing Python code using uv run and uvx, which is consistent with its primary purpose as a package manager guide.
- [INDIRECT_PROMPT_INJECTION]: The skill facilitates script execution, which is an inherent attack surface for agent tools. Mandatory evidence chain: 1. Ingestion points: The skill processes user queries and guides agent execution of scripts. 2. Boundary markers: The documentation encourages best practices like version pinning and using absolute paths. 3. Capability inventory: Uses uv run and uvx (subprocess execution). 4. Sanitization: Not applicable to this documentation-only skill.
Audit Metadata