hf-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly exposes commands such as "hf skills add" and "hf download REPO_ID" which fetch and install content from the public Hugging Face Hub (user-generated models, datasets, discussions, and skills), directly allowing untrusted third-party content to be read/installed and thereby alter the agent's behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The SKILL.md includes an installation command that fetches and pipes a remote script to a shell (curl -LsSf https://hf.co/cli/install.sh | bash -s), which executes remote code fetched from that URL and is presented as a required installation step.