0xDarkMatter/python-env
skills/python-env/SKILL.md
Fast Python environment management with uv (10-100x faster than pip). Triggers on: uv, venv, pip, pyproject, python environment, install package, dependencies.
$ install --global
skillsauthnpx skillsauth add 0xDarkMatter/claude-mods python-envInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 25, 2026, 2:07 AM11.4s4 files scanned
SKILL.md
- name:
- python-env
- description:
- Fast Python environment management with uv (10-100x faster than pip). Triggers on: uv, venv, pip, pyproject, python environment, install package, dependencies.
- license:
- MIT
- compatibility:
- Requires uv CLI tool. Install: curl -LsSf https://astral.sh/uv/install.sh | sh
- allowed-tools:
- Bash
- author:
- claude-mods
Python Environment
Fast Python environment management with uv. Prefer the uv project workflow
(uv add / uv sync / uv run) over the uv pip compatibility layer — it
manages pyproject.toml + a lockfile for you and is reproducible.
Quick Commands
| Task | Command |
|------|---------|
| Start a project | uv init <name> (app) · uv init --package <name> (installable, src/ layout) |
| Add dependency | uv add httpx |
| Add dev dependency | uv add --dev pytest ruff |
| Remove dependency | uv remove httpx |
| Sync env from lockfile | uv sync |
| Run in project env | uv run pytest |
| Update lockfile | uv lock |
| Install a CLI tool | uv tool install ruff · one-shot: uvx ruff |
| Install a Python | uv python install 3.12 |
Start a Project
# Application (flat layout, no package build)
uv init myapp
# Installable package (src/ layout — separate tests/ that import by name)
uv init --package wordtools
# → src/wordtools/__init__.py, pyproject.toml with build-system
uv init creates pyproject.toml, pins a Python version, and prepares the
project for uv add / uv sync. The --package (src) layout is preferred for
anything with a test suite or that you intend to ship.
Manage Dependencies
# Add runtime deps (writes to [project.dependencies] + updates the lockfile)
uv add "httpx>=0.25" pydantic
# Add dev-only deps (writes to the dev dependency-group)
uv add --dev pytest ruff mypy
# Add with extras
uv add "fastapi[standard]"
# Remove
uv remove httpx
# Install everything from pyproject + uv.lock into .venv (reproducible)
uv sync
# Refresh the lockfile (e.g. after manual pyproject edits)
uv lock
uv creates and manages .venv automatically — you rarely activate it; just
prefix commands with uv run.
Run Code
uv run python script.py # run a script in the project env
uv run pytest # run a tool from the dev group
uv run -- ruff check . # `--` ends uv flag parsing
Never call bare python / pytest / ruff in a uv project — they may resolve
to a different interpreter. Always uv run.
CLI Tools (global, not project deps)
uv tool install ruff # persistent, isolated, on PATH
uv tool upgrade ruff
uvx ruff check . # ephemeral one-shot run, nothing installed
Use uv tool / uvx for developer CLIs (ruff, pre-commit, httpie). Use
uv add only for things your code imports.
Python Versions
uv python install 3.12 # download a managed interpreter
uv python list # show available + installed
uv init --python 3.12 app # pin a project to a version
3.13 is the current stable release (free-threading and JIT, both opt-in); 3.11+
is a sensible floor for new projects (TaskGroup, Self, faster interpreter).
Minimal pyproject.toml
[project]
name = "my-project"
version = "0.1.0"
requires-python = ">=3.11"
dependencies = [
"httpx>=0.25",
"pydantic>=2.0",
]
# Dev deps live here; `uv add --dev <pkg>` manages this group.
[dependency-groups]
dev = [
"pytest>=8.0",
"ruff>=0.4",
"mypy>=1.10",
]
Compatibility Layer (uv pip) — last resort
uv pip mirrors pip's interface for environments uv doesn't manage (a hand-made
venv, a legacy requirements.txt, CI that isn't uv-native). It does not
update pyproject.toml or the lockfile — prefer uv add / uv sync whenever
you control the project.
uv venv # bare venv (no project)
uv pip install -r requirements.txt # legacy requirements file
uv pip install -e . # editable install into an unmanaged venv
uv pip compile requirements.in -o requirements.txt # pin a requirements.txt
Troubleshooting
| Issue | Solution |
|-------|----------|
| "No Python found" | uv python install 3.12 |
| Pin project Python | uv init --python 3.12 or edit requires-python |
| Lock/resolve conflict | uv lock --resolution=lowest-direct to probe, then loosen bounds |
| Stale env after pull | uv sync |
| Cache issues | uv cache clean |
When to Use
- Always use uv over pip — 10-100x faster
uv add/uv remove/uv syncfor project dependencies (notuv pip install)uv runto execute anything inside the project envuv tool install/uvxfor standalone developer CLIsuv piponly for environments uv doesn't manage
Additional Resources
For detailed patterns, load:
./references/pyproject-patterns.md- Full pyproject.toml examples, tool configs./references/dependency-management.md- Lock files, workspaces, private packages./references/publishing.md- PyPI publishing, versioning, CI/CD
See Also
This is a foundation skill with no prerequisites.
Build on this skill:
python-typing-ops- Type hints for projectspython-pytest-ops- Testing infrastructurepython-fastapi-ops- Web API development
Related Skills
0xDarkMatter/supply-chain-defense
tools
VerifiedTrustedCommunity
Behavioural-first software supply chain defense - catches poisoned npm/PyPI packages in the publish-to-advisory window that CVE tools miss. Use BEFORE every install or version bump (not only when an attack is suspected) - the 7-day cooldown gate + behavioural score catches freshly-published malware that CVE tools won't see for days. Socket.dev integration (free CLI + GitHub app + depscore MCP for Claude Code), stale-OIDC audit, dependency cooldown policy, publish-token rotation, VS Code extension audit, and a self-integrity scan that detects worm persistence hooks injected into Claude Code / VS Code settings. Triggers on: pip install, uv add, uv tool install, npm install, pnpm add, yarn add, cargo add, go get, composer require, gem install, upgrade dependency, dependency upgrade, version bump, bump version, bump package, adding dependency, new dependency, vetting a dependency, vet package, is this package safe, safe to install, should I install, before installing, pre-install check, preinstall scan, preinstall-check, PyPI cooldown, npm cooldown, release cooldown, minimumReleaseAge, score a package, package score, depscore, socket score, supply chain, supply chain attack, malicious package, poisoned dependency, npm worm, Shai-Hulud, behavioural scanning, Socket.dev, socket scan, dependency security, postinstall malware, OIDC token theft, compromised maintainer, typosquat, dependency confusion, package provenance, SLSA, persistence hook, malicious VS Code extension.
22SKILL.mdUpdated May 25, 2026
0xDarkMatter/github-ops
testing
VerifiedTrustedCommunity
GitHub remote operations — repo creation, metadata (description/homepage/topics), releases, README 'Recent Updates' enforcement, and issue / PR management with preview-before-send discipline. Companion to git-ops (local) and push-gate (pre-push safety). Three modes: new (first publish), update (subsequent release), audit (read-only checklist), plus atomic operations for issues and PRs. Triggers on: push to github, publish repo, ship release, cut release, gh release, set topics, repo description, github metadata, recent updates section, audit github repo, repo visibility, make repo public, gh repo create, gh issue, gh pr, create issue, comment on issue, close issue, triage issue, create PR, review PR, merge PR, pre-merge check, pr checks.
20SKILL.mdUpdated Apr 27, 2026
0xDarkMatter/prompt-injection-defense
tools
VerifiedTrustedCommunity
Defend the agent's instruction surface against adversarial content - hidden-Unicode prompt injection (Trojan Source bidi reordering, U+E0000 tag-block ASCII smuggling, zero-width text), homoglyph confusables, and poisoned context that a human reviewer can't see but the model obeys. Scan CLAUDE.md / AGENTS.md / SKILL.md / .cursorrules and MCP tool descriptions; sanitize fetched web pages, issue/PR bodies, and dependency READMEs before they enter context. Triggers on: prompt injection, hidden unicode, invisible characters, zero-width space, bidi override, Trojan Source, ASCII smuggling, tag characters, homoglyph, confusable, unicode steganography, poisoned CLAUDE.md, malicious tool description, MCP tool poisoning, instruction injection, jailbreak in file, is this file safe, sanitize untrusted content, scan for hidden text.
19SKILL.mdUpdated May 26, 2026
0xDarkMatter/setperms
tools
VerifiedTrustedCommunity
Set tool permissions for Claude Code. Configures allowed commands, rules, and preferences in .claude/ directory. Triggers on: setperms, init tools, configure permissions, setup project, set permissions, init claude.
19SKILL.mdUpdated Apr 25, 2026