uv-package-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (CRITICAL): The skill utilizes a dangerous 'curl | sh' pattern to download and execute an installer script from an external source. This pattern is a critical security vulnerability because it allows arbitrary code to be executed on the system without any prior inspection or verification.\n
- Evidence: Detection of the command
curl -LsSf https://astral.sh/uv/install.sh | sh.\n- External Downloads (HIGH): The skill downloads executable content fromastral.sh. This domain is not included in the list of trusted external sources (e.g., GitHub, Google, Microsoft). Following the [TRUST-SCOPE-RULE], downloads from untrusted sources that are immediately executed retain high severity.\n- Command Execution (HIGH): The skill uses shell commands to process external data, providing a direct vector for local system modification via the downloaded script.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://astral.sh/uv/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata