hugging-face-paper-publisher
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- Input Validation and Sanitization: The
paper_manager.pyscript includes dedicated methods to sanitize untrusted input from both users and external APIs (arXiv). It specifically neutralizes Markdown code fences and YAML document delimiters to prevent structural injection when updating repository READMEs or generating paper articles. arXiv identifiers are also validated against strict regular expression patterns before use. - Secure Credential Management: Authentication with the Hugging Face Hub is handled using the standard
HF_TOKENenvironment variable or the official local cache. The skill does not hardcode secrets or store sensitive tokens insecurely, leveraging the trustedhuggingface_hublibrary for all API interactions. - Controlled Repository Modifications: When linking papers to models or datasets, the skill uses specific boundary markers (
<!-- paper-manager:start -->) to isolate its changes within README files. This approach ensures that existing content is preserved and modifications are transparent to users. - Trusted External Communication: Network operations are limited to well-known and official services, specifically the Hugging Face API and the arXiv export API. These communications are essential for the skill's primary function of paper discovery and metadata management.
- Dependency Safety: The skill utilizes standard, well-maintained Python libraries such as
requests,pyyaml, andhuggingface_hub. No suspicious or unverified third-party dependencies are included.
Audit Metadata