uv-expert

This documentation/skill is primarily informational about the 'uv' tool and its workflows. It does not contain embedded malicious code, nor does it request credentials. The main security concern is supply-chain: the recommended curl|sh and PowerShell piped-install commands are high-risk download-and-execute patterns because they fetch remote scripts and execute them without integrity verification. Additional moderate risks come from recommending unpinned pip installs, using a third-party GitHub Action in CI (transitive trust), and installing the package during Docker builds without pinned hashes. Recommend replacing curl|sh/iex examples with guidance to inspect downloaded scripts, provide checksum/signature verification, pin versions or use commit SHAs for actions, and use hash-pinned installs in container builds and CI to reduce supply-chain risk.