Skills
skills/alejandro-ao/hf-skills/hugging-face-model-trainer/Gen Agent Trust Hub

hugging-face-model-trainer

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [External Downloads / Remote Code Execution] (HIGH): The skill contains templates and instructions that direct the agent to download and execute code from remote repositories.
  • In references/training_patterns.md, the skill suggests executing a remote script from https://raw.githubusercontent.com/huggingface/trl/main/examples/scripts/grpo.py. While the 'huggingface' organization is trusted, direct remote execution is a significant risk vector.
  • In references/gguf_conversion.md, the skill recommends cloning https://github.com/ggerganov/llama.cpp.git for runtime compilation. The user 'ggerganov' is not in the [TRUST-SCOPE-RULE] list of trusted organizations, classifying this as an unverifiable external dependency.
  • [Command Execution / Privilege Escalation] (HIGH): The documentation (e.g., references/gguf_conversion.md) provides code snippets using subprocess.run to perform administrative tasks like apt-get update and apt-get install. While standard for setting up ephemeral training environments, this capability allows for arbitrary command execution and privilege escalation within the runner context.
  • [Indirect Prompt Injection] (HIGH): The skill's primary purpose involves ingesting untrusted external data (datasets) and performing operations with side effects (pushing to the Hub).
  • Ingestion points: Multiple scripts (e.g., scripts/train_sft_example.py, scripts/train_dpo_example.py) use load_dataset to pull content from the Hugging Face Hub.
  • Capability inventory: The training environment utilizes the HF_TOKEN secret and has the push_to_hub capability to modify or create repositories.
  • Sanitization: No explicit boundary markers or sanitization logic is present to prevent malicious data within datasets from influencing the agent's logic or model training outputs.
  • Evidence Chain: Untrusted Hub data enters the context via datasets (File: scripts/train_sft_example.py), lacks boundary markers, and possesses the capability to execute code via training processes and write to the Hub via push_to_hub.
  • [Dynamic Execution] (MEDIUM): The GGUF conversion process described in references/gguf_conversion.md involves runtime compilation of C++ source code via cmake. Running binaries compiled at runtime from external sources significantly expands the attack surface.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 08:45 AM