Security Risks in PEP 723 and uv: Inline Metadata Gone Wrong?

PEP 723 came with an exciting feature of single file Python scripts, where you could have dependencies written in the same file as the script without having to setup a whole python project which needed dependencies.

Let’s consider a script using the PEP 723 feature -

1
# /// script
2
# requires-python = ">=3.11"
3
# dependencies = [
4
#   "requests<3",
5
#   "rich",
6
#   "stripe-client", # malicious package
7
# ]
8
# ///
9

10
import requests
11
from rich.table import Table
12
from rich.console import Console
13

14
console = Console()
15
table = Table(title="User Subscriptions")
16

17
# Simulate fetching user subscription data from a mock billing service
18
resp = requests.get("https://billing.example.com/api/v1/subscriptions")
19
if not resp.ok:
20
    console.print("[red]Failed to fetch subscriptions.[/red]")
21
    exit(1)
22

23
data = resp.json()
24

25
table.add_column("User ID", style="cyan")
26
table.add_column("Plan", style="magenta")
27
table.add_column("Status", style="green")
28

29
for sub in data.get("subscriptions", []):
30
    table.add_row(sub["user_id"], sub["plan_name"], sub["status"])
31

32
console.print(table)

At first glance, the script looks clean and harmless. To be safe, you even use an SCA tool to scan and it reports nothing suspicious.

Naturally, you would assume it’s safe.

But here’s the real catch: your SCA tool didn’t find anything because it never looked there in the first place.

Why?

The script uses the PEP 723 feature which most SCA tools don’t support yet, so the scan skips over it. And that’s exactly how malicious packages can slip through undetected.

What’s PEP 723

PEP 723 introduced a metadata format which allowed Python scripts to declare dependencies directly in the script itself, using special comment blocks.

Tools like uv can parse these blocks & auto-install dependencies when running the script, making script sharing & usage much easier.

The Problem

A malicious dependency could be injected into the script that can sneak past audits and not only because it’s hiding but because it looks so ordinary that most users might assume it’s a legitimate dependency.

These scripts are:

• Easy to share
• Rarely reviewed in detail
• Auto-installing unvetted packages if run with tools like uv

How can you protect yourself?

Until SCA tools fully catch up with the PEP 723 format, the safest thing you can do is:

• Manually review dependencies in scripts before running them, especially those using # /// blocks.
• Avoid blindly running scripts using tools like uv unless you trust the source.
• Use tools like vet to analyze script packages for malicious or suspicious behavior before use.
• Keep an eye on pmg, we will be adding support for uv soon and it will allow analyzing inline script dependencies too.