Back to skill

Security audit

skill-python-env

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it automatically runs remote installer code and lets other skills change a shared Python environment, so it needs careful review before use.

Install only if you trust every skill that can call it and are comfortable with automatic software installation from the network. Safer operation would preinstall uv through an approved channel, restrict or pin package names, and treat ~/.python_env/<version> as shared mutable state that can affect multiple skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not packages:
        return
    log_info(f"安装依赖包:{' '.join(packages)}")
    result = subprocess.run(
        [uv_path, "pip", "install", "--python", str(env_dir), *packages],
        check=False,
    )
Confidence
94% confidence
Finding
result = subprocess.run( [uv_path, "pip", "install", "--python", str(env_dir), *packages], check=False, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_error("  https://docs.astral.sh/uv/getting-started/installation/")
            sys.exit(1)
        log_info("使用 PowerShell 安装 uv...")
        result = subprocess.run(
            [ps, "-ExecutionPolicy", "ByPass", "-Command",
             "irm https://astral.sh/uv/install.ps1 | iex"],
            check=False,
Confidence
99% confidence
Finding
result = subprocess.run( [ps, "-ExecutionPolicy", "ByPass", "-Command", "irm https://astral.sh/uv/install.ps1 | iex"], check=False, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
wget = shutil.which("wget")
        if curl:
            log_info("使用 curl 安装 uv...")
            proc = subprocess.run([curl, "-LsSf", "https://astral.sh/uv/install.sh"],
                                  stdout=subprocess.PIPE, check=True)
            subprocess.run(["sh"], input=proc.stdout, check=True)
        elif wget:
Confidence
98% confidence
Finding
proc = subprocess.run([curl, "-LsSf", "https://astral.sh/uv/install.sh"], stdout=subprocess.PIPE, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_info("使用 curl 安装 uv...")
            proc = subprocess.run([curl, "-LsSf", "https://astral.sh/uv/install.sh"],
                                  stdout=subprocess.PIPE, check=True)
            subprocess.run(["sh"], input=proc.stdout, check=True)
        elif wget:
            log_info("使用 wget 安装 uv...")
            proc = subprocess.run([wget, "-qO-", "https://astral.sh/uv/install.sh"],
Confidence
99% confidence
Finding
subprocess.run(["sh"], input=proc.stdout, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["sh"], input=proc.stdout, check=True)
        elif wget:
            log_info("使用 wget 安装 uv...")
            proc = subprocess.run([wget, "-qO-", "https://astral.sh/uv/install.sh"],
                                  stdout=subprocess.PIPE, check=True)
            subprocess.run(["sh"], input=proc.stdout, check=True)
        else:
Confidence
98% confidence
Finding
proc = subprocess.run([wget, "-qO-", "https://astral.sh/uv/install.sh"], stdout=subprocess.PIPE, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_info("使用 wget 安装 uv...")
            proc = subprocess.run([wget, "-qO-", "https://astral.sh/uv/install.sh"],
                                  stdout=subprocess.PIPE, check=True)
            subprocess.run(["sh"], input=proc.stdout, check=True)
        else:
            log_error("未找到 curl 或 wget,请手动安装 uv:")
            log_error("  https://docs.astral.sh/uv/getting-started/installation/")
Confidence
99% confidence
Finding
subprocess.run(["sh"], input=proc.stdout, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly performs shell execution, environment manipulation, and network-based installation of uv/Python, yet declares no required permissions. This creates a trust and policy gap: callers or reviewers may treat it as low-risk while it can modify the host, download executables, and change shared runtime state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is described as shared Python environment management, but it also mutates the shared environment by installing caller-specified packages. In this context, shared mutable dependencies are dangerous because they let one skill influence the runtime of unrelated skills, enabling dependency confusion, malicious package persistence, or breaking changes across consumers.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script automatically installs uv by downloading and executing remote installer scripts without user confirmation, signature verification, or checksum validation. Because this is an internal utility likely run non-interactively by other skills, it expands the blast radius from a convenience feature into unattended remote code execution during setup.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script automatically downloads and executes a remote installer for uv via PowerShell or shell piping without verifying integrity, pinning a version, or requiring explicit user confirmation. This creates a direct supply-chain and remote-code-execution risk: if the upstream host, network path, or installer content is compromised, arbitrary code will run with the user's privileges.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.