modern-python
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONSAFE
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill promotes the installation of third-party tools via piped shell execution (curl | sh). This is a high-risk pattern for arbitrary code execution from remote sources. * Evidence: In 'references/security-setup.md', the skill recommends: 'curl --proto "=https" --tlsv1.2 -LsSf https://github.com/j178/prek/releases/latest/download/prek-installer.sh | sh'. * Evidence: In 'references/uv-commands.md', the skill recommends: 'curl -LsSf https://astral.sh/uv/install.sh | sh'.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill encourages downloading and executing scripts from remote sources (github.com, astral.sh) without cryptographic integrity checks or pinning to specific commit hashes. Additionally, an automated scanner flagged a blacklisted URL in 'MANIFEST.in'.
- COMMAND_EXECUTION (LOW): The project provides numerous examples of using the 'uv' and 'prek' command-line interfaces to manage virtual environments, install dependencies, and run scripts.
- SAFE (SAFE): Despite the risky installation methods, the skill provides excellent documentation on security auditing tools such as 'zizmor' for GitHub Actions security, 'actionlint' for workflow validation, 'pip-audit' for vulnerability scanning, and 'detect-secrets' for preventing credential leaks.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata