uv-package-manager

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] command_injection: PowerShell execution detected (CI005) [AITech 9.1.4] The document is legitimate user-facing documentation for 'uv' with normal, expected features and workflows. It contains no explicit malicious code in-line, but it recommends several insecure supply-chain patterns (pipe-to-shell installers, unpinned 'latest' container tags, unpinned git installs) that create a realistic risk of arbitrary code execution if upstream artifacts are compromised. Recommended mitigations: avoid curl|sh and irm|iex patterns in examples; show verification steps (SHA256 checksums, GPG signatures), pin container image digests and git commits/tags, prefer installing from verified package manager releases, and document least-privilege CI practices (no secrets in build environment, use short-lived tokens). Overall: not malware, but medium supply-chain risk that warrants caution and improved install verification.