← 返回 Skills 市场

UV Global

Name: UV Global
Author: guoqiao

作者 guoqiao · GitHub ↗ · v0.1.2

darwinlinux ⚠ suspicious

2366

总下载

当前安装

版本数

在 OpenClaw 中安装

/install uv-global

功能描述

Provision and reuse a global uv environment for ad hoc Python scripts.

安全使用建议

This skill appears to do what it claims (create ~/.uv-global and shims), but it has two items you should consider before installing: (1) install.sh will fetch and pipe a remote script (https://astral.sh/uv/install.sh) to sh if uv is absent — that executes code from the network and should be reviewed or avoided unless you trust the host; (2) the skill is marked always:true, meaning it will be force-included in every agent run without explicit opt-in, which is uncommon and widens blast radius. Recommended actions: manually inspect or run install.sh in a disposable/sandbox environment; replace the curl|sh step with a reviewed/manual install of uv; remove any packages you don't need from the uv add list (especially SDKs that can access APIs); and consider disabling always:true or asking the publisher why it is required. If you lack trust in the remote installer or the publisher, do not install on a sensitive machine.

功能分析

Type: OpenClaw Skill Name: uv-global Version: 0.1.2 The skill is classified as suspicious primarily due to the `install.sh` script's use of `curl -LsSf https://astral.sh/uv/install.sh | sh` to install the `uv` tool. While this is a common and official installation method, executing arbitrary remote shell scripts without prior inspection introduces a significant Remote Code Execution (RCE) vulnerability if the `astral.sh` domain or its content delivery network were ever compromised. This represents a risky capability rather than clear malicious intent by the skill author. The skill also installs a large number of Python packages, which, while legitimate, increases the overall attack surface.

能力评估

✓ Purpose & Capability

The name/description (provide a global uv env) matches the files and instructions: install or reuse uv, create ~/.uv-global, create a venv and shims, and install common packages. Requesting 'uv' or 'brew' is reasonable for this purpose.

ℹ Instruction Scope

Runtime instructions are narrowly scoped to creating ~/.uv-global, initializing uv, installing packages, and writing small shim scripts in the venv bin. They do not read unrelated system files or request credentials. However the instructions (and install.sh) explicitly instruct fetching and executing a remote installer if uv is missing, which broadens runtime impact.

⚠ Install Mechanism

install.sh will attempt 'brew install uv' or fall back to 'curl -LsSf https://astral.sh/uv/install.sh | sh'. Piping a remote script to sh is high-risk: it executes arbitrary code from a network host. Even if astral.sh is the official uv installer, fetching and executing remote code without manual review is a security concern.

✓ Credentials

The skill does not request credentials or unusual environment variables. It writes to a single user path (~/.uv-global) and creates a .env file for that project. It installs many Python packages (including openai, anthropic, google-genai, yt-dlp, web3), which is consistent with providing a ready-to-use env but increases the capability surface — no direct credential requests in the package list itself.

⚠ Persistence & Privilege

The skill metadata sets always:true (force-included in every agent run). There is no clear justification for always:true for a utility that provisions a local venv. Combined with the remote installer behavior, always:true increases risk because the skill is present/available by default across agent runs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install uv-global
安装完成后，直接呼叫该 Skill 的名称或使用 /uv-global 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.2

- Replaced the install script reference from `uv-global.sh` to `install.sh`; removed the old script and added the new one. - Installation instructions updated to mention new shims added to `~/.uv-global/.venv/bin`. - Clarified that the PATH update makes both the global environment and shims available. - General documentation enhancements for clarity.

v0.1.1

- Clarified and expanded the documentation for setup and usage of the global uv environment. - Improved installation instructions and system requirements for better usability. - Added practical usage tips and clarified when to use this skill versus a project-specific environment. - Polished descriptions for clearer, more concise guidance.

v0.1.0

Initial release of uv-global: - Create a global uv environment at `~/.uv-global` for Python experimentation and workflows. - Supports easy installation of Python dependencies without polluting the system environment. - Installs `uv` (via `brew` or `curl`) if not already available. - Sets up a global virtual environment with common packages. - Provides sample commands to install dependencies and run Python scripts within the managed environment. - Works on Darwin and Linux systems.

元数据

Slug uv-global

版本 0.1.2

许可证 —

累计安装 7

当前安装数 6

历史版本数 3

常见问题

UV Global 是什么？

Provision and reuse a global uv environment for ad hoc Python scripts. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 2366 次。

如何安装 UV Global？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install uv-global」即可一键安装，无需额外配置。

UV Global 是免费的吗？

是的，UV Global 完全免费（开源免费），可自由下载、安装和使用。

UV Global 支持哪些平台？

UV Global 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（darwin, linux）。

谁开发了 UV Global？

由 guoqiao（@guoqiao）开发并维护，当前版本 v0.1.2。