hugging-face-model-trainer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill repeatedly requires including the user's HF_TOKEN in job submission config (e.g., secrets={"HF_TOKEN":"$HF_TOKEN"}) and describes $HF_TOKEN as referencing the actual token value, which forces the agent to handle or propagate a secret value that could be output verbatim and thus risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to accept and run external scripts and datasets from public URLs (e.g., "Working with Scripts" allowing Hugging Face/ GitHub/ Gist URLs and the dataset inspector at https://huggingface.co/datasets/mcp-tools/skills/raw/main/dataset_inspector.py), meaning the agent fetches and interprets untrusted, user-provided third‑party content that can directly change job scripts and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes examples that fetch and execute remote scripts at runtime (e.g., https://huggingface.co/datasets/mcp-tools/skills/raw/main/dataset_inspector.py used via hf_jobs and the convert_to_gguf.py script which clones and builds https://github.com/ggerganov/llama.cpp), so these URLs are runtime-fetched and execute remote code that the skill relies on.