uv-package-manager
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): Piped remote execution detected from an untrusted source. Evidence: 'curl -LsSf https://astral.sh/uv/install.sh | sh'. Analysis: The skill uses curl to download a shell script and pipes it directly to 'sh'. This execution method is highly risky as it bypasses verification. Since 'astral.sh' is not included in the defined list of Trusted External Sources, this finding remains at the critical level.
- [EXTERNAL_DOWNLOADS] (HIGH): The skill references an external installer from a domain not explicitly trusted in the security policy.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata