← Back to Skills Marketplace
2366
Downloads
0
Stars
6
Active Installs
3
Versions
Install in OpenClaw
/install uv-global
Description
Provision and reuse a global uv environment for ad hoc Python scripts.
Usage Guidance
This skill appears to do what it claims (create ~/.uv-global and shims), but it has two items you should consider before installing: (1) install.sh will fetch and pipe a remote script (https://astral.sh/uv/install.sh) to sh if uv is absent — that executes code from the network and should be reviewed or avoided unless you trust the host; (2) the skill is marked always:true, meaning it will be force-included in every agent run without explicit opt-in, which is uncommon and widens blast radius. Recommended actions: manually inspect or run install.sh in a disposable/sandbox environment; replace the curl|sh step with a reviewed/manual install of uv; remove any packages you don't need from the uv add list (especially SDKs that can access APIs); and consider disabling always:true or asking the publisher why it is required. If you lack trust in the remote installer or the publisher, do not install on a sensitive machine.
Capability Analysis
Type: OpenClaw Skill
Name: uv-global
Version: 0.1.2
The skill is classified as suspicious primarily due to the `install.sh` script's use of `curl -LsSf https://astral.sh/uv/install.sh | sh` to install the `uv` tool. While this is a common and official installation method, executing arbitrary remote shell scripts without prior inspection introduces a significant Remote Code Execution (RCE) vulnerability if the `astral.sh` domain or its content delivery network were ever compromised. This represents a risky capability rather than clear malicious intent by the skill author. The skill also installs a large number of Python packages, which, while legitimate, increases the overall attack surface.
Capability Assessment
Purpose & Capability
The name/description (provide a global uv env) matches the files and instructions: install or reuse uv, create ~/.uv-global, create a venv and shims, and install common packages. Requesting 'uv' or 'brew' is reasonable for this purpose.
Instruction Scope
Runtime instructions are narrowly scoped to creating ~/.uv-global, initializing uv, installing packages, and writing small shim scripts in the venv bin. They do not read unrelated system files or request credentials. However the instructions (and install.sh) explicitly instruct fetching and executing a remote installer if uv is missing, which broadens runtime impact.
Install Mechanism
install.sh will attempt 'brew install uv' or fall back to 'curl -LsSf https://astral.sh/uv/install.sh | sh'. Piping a remote script to sh is high-risk: it executes arbitrary code from a network host. Even if astral.sh is the official uv installer, fetching and executing remote code without manual review is a security concern.
Credentials
The skill does not request credentials or unusual environment variables. It writes to a single user path (~/.uv-global) and creates a .env file for that project. It installs many Python packages (including openai, anthropic, google-genai, yt-dlp, web3), which is consistent with providing a ready-to-use env but increases the capability surface — no direct credential requests in the package list itself.
Persistence & Privilege
The skill metadata sets always:true (force-included in every agent run). There is no clear justification for always:true for a utility that provisions a local venv. Combined with the remote installer behavior, always:true increases risk because the skill is present/available by default across agent runs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install uv-global - After installation, invoke the skill by name or use
/uv-global - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
- Replaced the install script reference from `uv-global.sh` to `install.sh`; removed the old script and added the new one.
- Installation instructions updated to mention new shims added to `~/.uv-global/.venv/bin`.
- Clarified that the PATH update makes both the global environment and shims available.
- General documentation enhancements for clarity.
v0.1.1
- Clarified and expanded the documentation for setup and usage of the global uv environment.
- Improved installation instructions and system requirements for better usability.
- Added practical usage tips and clarified when to use this skill versus a project-specific environment.
- Polished descriptions for clearer, more concise guidance.
v0.1.0
Initial release of uv-global:
- Create a global uv environment at `~/.uv-global` for Python experimentation and workflows.
- Supports easy installation of Python dependencies without polluting the system environment.
- Installs `uv` (via `brew` or `curl`) if not already available.
- Sets up a global virtual environment with common packages.
- Provides sample commands to install dependencies and run Python scripts within the managed environment.
- Works on Darwin and Linux systems.
Metadata
Frequently Asked Questions
What is UV Global?
Provision and reuse a global uv environment for ad hoc Python scripts. It is an AI Agent Skill for Claude Code / OpenClaw, with 2366 downloads so far.
How do I install UV Global?
Run "/install uv-global" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is UV Global free?
Yes, UV Global is completely free (open-source). You can download, install and use it at no cost.
Which platforms does UV Global support?
UV Global is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).
Who created UV Global?
It is built and maintained by guoqiao (@guoqiao); the current version is v0.1.2.
More Skills