transformers-js
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- External Resource Fetching: The skill is designed to download machine learning models and WebAssembly (WASM) binaries to facilitate on-device inference.
- Model Downloads: By default, it retrieves models from the Hugging Face Hub (huggingface.co), which is the intended functionality of the library. Users can also configure custom model hosts or CDNs.
- WASM Execution: To perform efficient computations, the skill loads ONNX Runtime WASM binaries, typically from well-known CDNs like jsdelivr.net. This is a standard requirement for running complex ML models in the browser or Node.js without a dedicated backend.
- File System Interaction: In Node.js environments, the skill implements a caching mechanism that writes model files to the local filesystem (defaulting to a
.cachedirectory). This is a performance optimization to prevent redundant large-file downloads. - Configuration Flexibility: The skill exposes several environment settings (
envobject) that allow for granular control over model loading and execution. While this provides significant flexibility, such as using custom CDNs or local file paths, it operates within the framework of the official library's design. - Data Ingestion Surface: As an ML processing tool, the skill accepts various inputs including text, images, and audio URLs. While processing untrusted external content is a common pattern for such tools, users should ensure appropriate sanitization when using the output in sensitive contexts.
Audit Metadata