hf-cli

Overall SUSPICIOUS rather than malicious. The core `hf` CLI is legitimately Hugging Face-owned and fits the stated purpose, so the official installer alone is not a strong malicious signal. Risk comes from broad administrative capabilities, token exposure paths, remote script/job execution, and especially transitive installation of third-party GitHub extensions and additional skills. Safe use requires explicit per-action approval and avoiding extension/skill installs unless provenance is separately verified.