技能 uv-package-manager 审计历史

审计历史

uv-package-manager - 4 审计

审计版本 4

最新 安全

Jan 17, 2026, 08:41 AM

Documentation-only skill teaching uv package manager usage. Static findings detected shell pipe patterns and PowerShell commands which are the official installation methods from astral.sh. All detected patterns are standard documentation for legitimate software installation and represent false positives.

2
已扫描文件
1,080
分析行数
3
发现项
claude
审计者
未发现安全问题

风险因素

⚙️ 外部命令 (3)
SKILL.md:55 SKILL.md:58 SKILL.md:143
🌐 网络访问 (2)
SKILL.md:55 SKILL.md:814-819
📁 文件系统访问 (2)
SKILL.md:448 SKILL.md:488-490

审计版本 3

安全

Jan 17, 2026, 08:41 AM

Documentation-only skill teaching uv package manager usage. Static findings detected shell pipe patterns and PowerShell commands which are the official installation methods from astral.sh. All detected patterns are standard documentation for legitimate software installation and represent false positives.

2
已扫描文件
1,080
分析行数
3
发现项
claude
审计者
未发现安全问题

风险因素

⚙️ 外部命令 (3)
SKILL.md:55 SKILL.md:58 SKILL.md:143
🌐 网络访问 (2)
SKILL.md:55 SKILL.md:814-819
📁 文件系统访问 (2)
SKILL.md:448 SKILL.md:488-490

审计版本 2

严重

Jan 4, 2026, 04:39 PM

The skill documentation contains download-and-execute patterns (curl | sh and PowerShell remote execution) that pose security risks, along with shell profile modification commands that could be used for persistence.

4
已扫描文件
860
分析行数
4
发现项
claude
审计者

严重问题 (3)

SKILL.md:55
Download and execute installer script
The skill instructs users to run a remote script via shell pipe, which is a download-and-execute pattern: "curl -LsSf https://astral.sh/uv/install.sh | sh".
SKILL.md:58
Download and execute PowerShell installer
The skill instructs users to execute a remote PowerShell script, which is a download-and-execute pattern: "powershell -c \"irm https://astral.sh/uv/install.ps1 | iex\"".
SKILL.md:680
Shell profile modification
The skill suggests appending to a shell rc file, which is a persistence mechanism pattern: "echo 'export PATH=\"$HOME/.cargo/bin:$PATH\"' >> ~/.bashrc".

风险因素

⚙️ 外部命令 (3)
SKILL.md:55 SKILL.md:58 SKILL.md:680

检测到的模式

curl pipe to shell installerPowerShell remote executionShell profile modification

审计版本 1

严重

Jan 4, 2026, 04:39 PM

The skill documentation contains download-and-execute patterns (curl | sh and PowerShell remote execution) that pose security risks, along with shell profile modification commands that could be used for persistence.

4
已扫描文件
860
分析行数
4
发现项
claude
审计者

严重问题 (3)

SKILL.md:55
Download and execute installer script
The skill instructs users to run a remote script via shell pipe, which is a download-and-execute pattern: "curl -LsSf https://astral.sh/uv/install.sh | sh".
SKILL.md:58
Download and execute PowerShell installer
The skill instructs users to execute a remote PowerShell script, which is a download-and-execute pattern: "powershell -c \"irm https://astral.sh/uv/install.ps1 | iex\"".
SKILL.md:680
Shell profile modification
The skill suggests appending to a shell rc file, which is a persistence mechanism pattern: "echo 'export PATH=\"$HOME/.cargo/bin:$PATH\"' >> ~/.bashrc".

风险因素

⚙️ 外部命令 (3)
SKILL.md:55 SKILL.md:58 SKILL.md:680

检测到的模式

curl pipe to shell installerPowerShell remote executionShell profile modification
← 返回技能