uv-package-manager
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Remote Code Execution (HIGH): Detected piped remote execution from an untrusted source. Finding: curl -LsSf https://astral.sh/uv/install.sh | sh. Evidence: The automated scan detected a pattern where a remote shell script is downloaded and immediately executed via the shell. This bypasses static analysis and allows for arbitrary code execution. Impact: The source domain astral.sh is not included in the established trusted sources list, making the execution of its remote content a high-risk operation.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata