uv-package-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (CRITICAL): The skill uses a highly dangerous pattern where a script is downloaded from a remote server and piped directly into the shell for execution. This bypasses all manual review or verification steps.
- Evidence:
curl -LsSf https://astral.sh/uv/install.sh | sh - Trust Status: The domain
astral.shis not listed as a trusted source in the governing security policy, and thus the execution of its remote content is treated as an untrusted RCE vector.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://astral.sh/uv/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata