migrate-pip-to-uv
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (LOW): The skill directs the agent to execute shell commands using the
uvtool (e.g.,uv add,uv sync). While these are standard development tasks, users should ensure they are working on trusted repositories.\n- [Indirect Prompt Injection] (LOW): The skill processes untrusted local data from requirements files which defines an attack surface.\n - Ingestion points: Files like
requirements.inandrequirements.txtare read and their contents are used to driveuvcommands.\n - Boundary markers: No specific boundary markers or instructions to ignore embedded commands in the data files are present.\n
- Capability inventory: The skill utilizes shell command execution and file system access.\n
- Sanitization: The instructions do not specify any validation or sanitization of the input file content.
Audit Metadata