hugging-face-model-trainer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill repeatedly requires including the user's HF_TOKEN in job submission config (e.g., secrets={"HF_TOKEN":"$HF_TOKEN"}) and describes $HF_TOKEN as referencing the actual token value, which forces the agent to handle or propagate a secret value that could be output verbatim and thus risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and fetches arbitrary third‑party URLs and Hub/GitHub resources (e.g., the hf_jobs "script" parameter allowing Hugging Face/ GitHub/ Gist URLs, datasets.load_dataset with user dataset names, and the dataset_inspector which queries the public Datasets Server/API), and the agent is expected to read and act on that untrusted, user-provided content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs remote scripts at runtime (for example: https://huggingface.co/datasets/mcp-tools/skills/raw/main/dataset_inspector.py) by passing those URLs to hf_jobs(), causing externally hosted Python code to be fetched and executed and the skill relies on that inspector for dataset validation.