hugging-face-dataset-viewer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md instructs the agent to call the public Dataset Viewer API at https://datasets-server.huggingface.co (endpoints like /first-rows, /rows, /search, /parquet) to fetch and preview user-generated, public Hugging Face dataset content that the agent is expected to read/interpret and use to drive pagination, searches, parquet path derivation, and subsequent queries, so untrusted third‑party content can influence behavior.