Skills
skills/spjoshis/claude-code-plugins/uv-package-manager/Gen Agent Trust Hub

uv-package-manager

Fail

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill employs a dangerous piped-execution pattern: curl -LsSf https://astral.sh/uv/install.sh | sh. This allows a remote script to be executed with the permissions of the current user without any integrity checking, signature verification, or prior manual review of the script content.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill downloads and executes resources from https://astral.sh. Although the site is the official home of the 'uv' project, the domain is not included in the provided whitelist of 'Trusted External Sources', categorizing the dependency as unverifiable within the current security scope.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 03:24 PM