Skills uv-package-manager Audit History

Audit History

uv-package-manager - 4 audits

Audit version 4

Latest Safe

Jan 17, 2026, 08:41 AM

Documentation-only skill teaching uv package manager usage. Static findings detected shell pipe patterns and PowerShell commands which are the official installation methods from astral.sh. All detected patterns are standard documentation for legitimate software installation and represent false positives.

2
Files scanned
1,080
Lines analyzed
3
findings
claude
Audited by
No security issues found

Risk Factors

⚙️ External commands (3)
SKILL.md:55 SKILL.md:58 SKILL.md:143
🌐 Network access (2)
SKILL.md:55 SKILL.md:814-819
📁 Filesystem access (2)
SKILL.md:448 SKILL.md:488-490

Audit version 3

Safe

Jan 17, 2026, 08:41 AM

Documentation-only skill teaching uv package manager usage. Static findings detected shell pipe patterns and PowerShell commands which are the official installation methods from astral.sh. All detected patterns are standard documentation for legitimate software installation and represent false positives.

2
Files scanned
1,080
Lines analyzed
3
findings
claude
Audited by
No security issues found

Risk Factors

⚙️ External commands (3)
SKILL.md:55 SKILL.md:58 SKILL.md:143
🌐 Network access (2)
SKILL.md:55 SKILL.md:814-819
📁 Filesystem access (2)
SKILL.md:448 SKILL.md:488-490

Audit version 2

Critical

Jan 4, 2026, 04:39 PM

The skill documentation contains download-and-execute patterns (curl | sh and PowerShell remote execution) that pose security risks, along with shell profile modification commands that could be used for persistence.

4
Files scanned
860
Lines analyzed
4
findings
claude
Audited by

Critical Issues (3)

SKILL.md:55
Download and execute installer script
The skill instructs users to run a remote script via shell pipe, which is a download-and-execute pattern: "curl -LsSf https://astral.sh/uv/install.sh | sh".
SKILL.md:58
Download and execute PowerShell installer
The skill instructs users to execute a remote PowerShell script, which is a download-and-execute pattern: "powershell -c \"irm https://astral.sh/uv/install.ps1 | iex\"".
SKILL.md:680
Shell profile modification
The skill suggests appending to a shell rc file, which is a persistence mechanism pattern: "echo 'export PATH=\"$HOME/.cargo/bin:$PATH\"' >> ~/.bashrc".

Risk Factors

⚙️ External commands (3)
SKILL.md:55 SKILL.md:58 SKILL.md:680

Detected Patterns

curl pipe to shell installerPowerShell remote executionShell profile modification

Audit version 1

Critical

Jan 4, 2026, 04:39 PM

The skill documentation contains download-and-execute patterns (curl | sh and PowerShell remote execution) that pose security risks, along with shell profile modification commands that could be used for persistence.

4
Files scanned
860
Lines analyzed
4
findings
claude
Audited by

Critical Issues (3)

SKILL.md:55
Download and execute installer script
The skill instructs users to run a remote script via shell pipe, which is a download-and-execute pattern: "curl -LsSf https://astral.sh/uv/install.sh | sh".
SKILL.md:58
Download and execute PowerShell installer
The skill instructs users to execute a remote PowerShell script, which is a download-and-execute pattern: "powershell -c \"irm https://astral.sh/uv/install.ps1 | iex\"".
SKILL.md:680
Shell profile modification
The skill suggests appending to a shell rc file, which is a persistence mechanism pattern: "echo 'export PATH=\"$HOME/.cargo/bin:$PATH\"' >> ~/.bashrc".

Risk Factors

⚙️ External commands (3)
SKILL.md:55 SKILL.md:58 SKILL.md:680

Detected Patterns

curl pipe to shell installerPowerShell remote executionShell profile modification
← Back to Skill