python-uv
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill contains a pattern that pipes a remote script directly into a shell:
curl -LsSf https://astral.sh/uv/install.sh | sh. This allows a remote server to execute arbitrary commands on the system. Per the security policy, piped remote execution from a non-whitelisted source (astral.sh) is a CRITICAL finding. - COMMAND_EXECUTION (HIGH): The skill requires and utilizes elevated privileges via
sudo, specifically for restarting system services:sudo systemctl restart myapp. It also modifies system-level files at/etc/systemd/system/. - EXTERNAL_DOWNLOADS (HIGH): The skill initiates network downloads from
astral.sh. Since this domain is not within the trusted organization list defined in [TRUST-SCOPE-RULE], it is treated as an untrusted external download. - INDIRECT_PROMPT_INJECTION (HIGH): The skill is designed to ingest and process external project configuration files which can act as a vector for indirect prompt injection.
- Ingestion points:
pyproject.toml,uv.lock, and other files within the project directory read viaReadandGreptools. - Boundary markers: Absent. There are no delimiters or instructions to the agent to treat file content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill possesses extensive capabilities including
Bash(shell execution),Write(file modification), andEdit, providing a high-impact exploitation surface if a malicious file is processed. - Sanitization: Absent. The skill provides no mechanisms for sanitizing or validating the content of the project files before they are used in commands or logic.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://astral.sh/uv/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata