huggingface-hub
Fail
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and execute an installation script directly from Hugging Face's official domain. Evidence:
curl -LsSf https://hf.co/cli/install.sh | bash -sin SKILL.md.- [REMOTE_CODE_EXECUTION]: The CLI includes features to install extensions from remote GitHub repositories (hf extensions install) and execute Python scripts with inline dependencies (hf jobs uv), which involves running code from external sources.- [PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection as it processes untrusted data from the Hugging Face Hub (e.g., datasets, repository discussions, and pull requests) which could contain malicious instructions designed to influence the agent's behavior. - Ingestion points: Data is ingested from repository files, dataset parquet URLs, and community discussions (
SKILL.md). - Boundary markers: No specific delimiters or instructions to ignore embedded content are documented.
- Capability inventory: The skill allows for repository management, file operations, and remote job execution.
- Sanitization: The documentation does not specify sanitization or validation of data retrieved from the Hub.
Recommendations
- HIGH: Downloads and executes remote code from: https://hf.co/cli/install.sh - DO NOT USE without thorough review
Audit Metadata