Trust Assessment
uv-global received a trust score of 32/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 0 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Direct execution of remote script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/guoqiao/uv-global/uv-global.sh:6 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/guoqiao/uv-global/uv-global.sh:6 | |
| MEDIUM | Direct execution of remote script The installation script downloads and directly executes a shell script from a remote URL (`https://astral.sh/uv/install.sh`) without prior review or integrity checks. This practice, while common for installing tools, poses a supply chain risk as it bypasses local inspection and could lead to arbitrary code execution if the remote server is compromised or if a man-in-the-middle attack occurs. Prefer using a package manager (like `brew`) that verifies package integrity. If `curl | sh` is necessary, consider downloading the script first, reviewing its contents, and then executing it locally. Alternatively, use a more secure installation method if available. | LLM | install.sh:5 | |
| LOW | Unpinned Python dependencies The `uv add` command installs a list of Python packages without specifying exact version numbers. This means that future installations could pull different versions of these packages, potentially introducing breaking changes or security vulnerabilities if a package maintainer pushes a malicious or compromised update. This is a form of supply chain risk due to non-deterministic dependency resolution. Pin specific versions for all dependencies (e.g., `uv add loguru==0.12.0`) to ensure deterministic builds and mitigate risks from unexpected or malicious updates. Regularly review and update pinned versions. | LLM | install.sh:20 |
Scan History
Embed Code
[](https://skillshield.io/report/9fb937d6e7e813d8)
Powered by SkillShield