Python Venv
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is consistent with managing Python virtual environments, though users should expect it to run local package and environment commands.
This appears safe for its stated purpose, but it is designed to act quickly: expect local Python environment changes and package installations, and ask the agent to confirm commands first if you want more control.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may install packages or create/update environments based on project files with minimal prompting.
The skill tells the agent to run dependency installation or environment creation commands without asking in some detected project states. This is aligned with the skill purpose, but it mutates the local development environment.
## 1. Clear Decisions (Execute Directly, No Ask) ... `uv sync` ... `poetry install` ... `conda env create -f environment.yml` ... `pipenv install`
Install only if you are comfortable with the agent managing Python environments; ask it to confirm before installs or environment changes if you want stricter control.
If followed, these commands execute installer scripts from an external website on the local machine.
The troubleshooting guide documents executing downloaded uv installer scripts. This is disclosed and setup-related, but users should recognize that these commands run remote installer code.
curl -LsSf https://astral.sh/uv/install.sh | sh ... powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
Review remote installer commands before running them, use trusted sources, and prefer an OS package manager or documented manual install path when appropriate.