Skills
skills/cafe3310/public-agent-skills/hugging-face-stat/Gen Agent Trust Hub

hugging-face-stat

Fail

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script hf_stats.sh contains a severe command injection vulnerability. User-controlled input $REPO_ID is used inside double-quoted strings in the shell script (e.g., URL="...${REPO_ID}..."), allowing for shell command substitution at the point of variable assignment. Furthermore, $REPO_ID is interpolated into a Python string executed via python3 -c (e.g., repo_id = '$REPO_ID'), which allows for arbitrary Python code execution if the input contains a single quote.
  • [EXTERNAL_DOWNLOADS]: The skill fetches model and dataset metadata from Hugging Face's official API using curl.
  • [PROMPT_INJECTION]: The skill processes external content from the Hugging Face API, creating a surface for indirect prompt injection.
  • Ingestion points: JSON data is fetched from the Hugging Face API in hf_stats.sh and parsed for display.
  • Boundary markers: Absent. The raw formatted output of the script is presented directly to the agent.
  • Capability inventory: The skill has the ability to execute shell commands and Python code, which could be leveraged if the agent is manipulated by injected instructions.
  • Sanitization: Absent. The script prints values directly from the API response without escaping or validation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 7, 2026, 01:29 AM