hf-mcp
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (HIGH): The
hf_jobstool provides multiple vectors for RCE, including running arbitrary Python scripts viaoperation='uv'and executing shell commands in containers viaoperation='run'. While these are documented features, they grant the agent the ability to execute unvetted logic. - Persistence Mechanism (HIGH): The skill supports
operation='scheduled uv', which allows an agent to schedule recurring code execution using cron syntax. An attacker could use this to establish a permanent presence on the compute resource. - Indirect Prompt Injection (HIGH):
- Ingestion points:
hub_repo_details(READMEs) andhf_doc_fetch(documentation) fetch text from Hugging Face Hub, which is a user-controlled platform. - Boundary markers: None. The instructions do not define delimiters or warn the agent to ignore instructions embedded in the READMEs.
- Capability inventory: The skill includes high-impact capabilities like remote code execution (
hf_jobs) and external tool invocation (dynamic_space). - Sanitization: No sanitization or safety-filtering of fetched content is mentioned. A malicious README could successfully command the agent to run a training job that exfiltrates the user's
HF_TOKEN. - Credential Access (MEDIUM): The examples demonstrate the use of
HF_TOKEN. If the agent is compromised via injection, any script run throughhf_jobshas direct access to this sensitive secret.
Recommendations
- AI detected serious security threats
Audit Metadata