python-uv

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.75). 127.0.0.1:8000/api/health is a local health-check (not a download), but https://astral.sh/uv/install.sh is a direct third‑party shell installer (commonly used with curl | sh) and therefore a potentially risky distribution vector that should be verified and inspected before running.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The deploy script runs a runtime shell pipe that downloads and executes a remote installer (curl -LsSf https://astral.sh/uv/install.sh | sh), which fetches and runs remote code during deployment.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes instructions to write/modify a systemd unit under /etc/systemd/system and explicitly runs "sudo systemctl restart myapp" (and other deploy steps), which require elevated privileges and modify system state.