skill-python-env

The skill's code and instructions match its stated purpose: it creates per-version shared Python virtualenvs under ~/.python_env, auto-installs the 'uv' tool from astral.sh if missing, and installs requested packages; it's internally coherent but has expected risks around network installers and shared environments.

This skill appears to do what it says, but be aware of two practical risks before installing: (1) it auto-downloads and executes the uv installer from the network (curl|sh or PowerShell irm|iex); verify you trust https://astral.sh or install uv manually to avoid remote-exec risk, and (2) it creates shared per-version environments and will install caller-specified packages into them — a malicious or compromised calling skill could request installation of a malicious PyPI package that then affects other skills. To mitigate: restrict which skills can invoke this helper, prefer pinned package names/versions, review package arguments passed by callers, or disable the auto-install path and install uv and Python manually.