История аудитов - uv-package-manager

Версия аудита 4

Последняя Безопасно

Jan 17, 2026, 08:41 AM

Documentation-only skill teaching uv package manager usage. Static findings detected shell pipe patterns and PowerShell commands which are the official installation methods from astral.sh. All detected patterns are standard documentation for legitimate software installation and represent false positives.

2

Просканировано файлов

1,080

Проанализировано строк

3

находки

claude

Проверено

Проблем безопасности не найдено

Факторы риска

⚙️ Внешние команды (3)

SKILL.md:55 SKILL.md:58 SKILL.md:143

🌐 Доступ к сети (2)

SKILL.md:55 SKILL.md:814-819

📁 Доступ к файловой системе (2)

SKILL.md:448 SKILL.md:488-490

Версия аудита 3

Безопасно

Jan 17, 2026, 08:41 AM

Documentation-only skill teaching uv package manager usage. Static findings detected shell pipe patterns and PowerShell commands which are the official installation methods from astral.sh. All detected patterns are standard documentation for legitimate software installation and represent false positives.

2

Просканировано файлов

1,080

Проанализировано строк

3

находки

claude

Проверено

Проблем безопасности не найдено

Факторы риска

⚙️ Внешние команды (3)

SKILL.md:55 SKILL.md:58 SKILL.md:143

🌐 Доступ к сети (2)

SKILL.md:55 SKILL.md:814-819

📁 Доступ к файловой системе (2)

SKILL.md:448 SKILL.md:488-490

Версия аудита 2

Критично

Jan 4, 2026, 04:39 PM

The skill documentation contains download-and-execute patterns (curl | sh and PowerShell remote execution) that pose security risks, along with shell profile modification commands that could be used for persistence.

4

Просканировано файлов

860

Проанализировано строк

4

находки

claude

Проверено

Критические проблемы (3)

SKILL.md:55

Download and execute installer script

The skill instructs users to run a remote script via shell pipe, which is a download-and-execute pattern: "curl -LsSf https://astral.sh/uv/install.sh | sh".

SKILL.md:58

Download and execute PowerShell installer

The skill instructs users to execute a remote PowerShell script, which is a download-and-execute pattern: "powershell -c \"irm https://astral.sh/uv/install.ps1 | iex\"".

SKILL.md:680

Shell profile modification

The skill suggests appending to a shell rc file, which is a persistence mechanism pattern: "echo 'export PATH=\"$HOME/.cargo/bin:$PATH\"' >> ~/.bashrc".

Факторы риска

⚙️ Внешние команды (3)

SKILL.md:55 SKILL.md:58 SKILL.md:680

Обнаруженные паттерны

curl pipe to shell installerPowerShell remote executionShell profile modification

Версия аудита 1

Критично

Jan 4, 2026, 04:39 PM

The skill documentation contains download-and-execute patterns (curl | sh and PowerShell remote execution) that pose security risks, along with shell profile modification commands that could be used for persistence.

4

Просканировано файлов

860

Проанализировано строк

4

находки

claude

Проверено

Критические проблемы (3)

SKILL.md:55

Download and execute installer script

The skill instructs users to run a remote script via shell pipe, which is a download-and-execute pattern: "curl -LsSf https://astral.sh/uv/install.sh | sh".

SKILL.md:58

Download and execute PowerShell installer

The skill instructs users to execute a remote PowerShell script, which is a download-and-execute pattern: "powershell -c \"irm https://astral.sh/uv/install.ps1 | iex\"".

SKILL.md:680

Shell profile modification

The skill suggests appending to a shell rc file, which is a persistence mechanism pattern: "echo 'export PATH=\"$HOME/.cargo/bin:$PATH\"' >> ~/.bashrc".

Факторы риска

⚙️ Внешние команды (3)

SKILL.md:55 SKILL.md:58 SKILL.md:680

Обнаруженные паттерны

curl pipe to shell installerPowerShell remote executionShell profile modification