hugging-face-evaluation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly loads and parses README content from public Hugging Face model pages (ModelCard.load in scripts/evaluation_manager.py / SKILL.md inspect/extract flows) and fetches benchmark data from the public Artificial Analysis API (examples/artificial_analysis_to_hub.py and get_aa_model_data), then interprets that untrusted, user-generated content to generate model-index entries and create commits/PRs—so external third-party content can directly influence actions.