Skills
skills/patchy631/ai-engineering-hub/hugging-face-cli/Gen Agent Trust Hub

hugging-face-cli

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • COMMAND_EXECUTION (HIGH): The skill exposes the hf jobs run command, allowing the agent to execute arbitrary shell commands on remote infrastructure. This is a high-risk capability if an attacker can influence the command arguments.
  • REMOTE_CODE_EXECUTION (HIGH): Commands like hf jobs run and hf jobs scheduled run enable code execution within remote Docker environments. The examples specifically demonstrate executing inline Python scripts (python -c) and external scripts, which can be weaponized if the script content or command parameters are manipulated.
  • CREDENTIALS_UNSAFE (HIGH): The instructions document passing sensitive tokens via the command line (--token $HF_TOKEN) and as job secrets (--secrets HF_TOKEN). This practice exposes credentials to process lists, shell history, and potentially remote logs, increasing the risk of credential theft.
  • DATA_EXFILTRATION (MEDIUM): The hf upload functionality allows the agent to send local files and directories to the Hugging Face Hub. This represents a potential exfiltration vector if the agent is directed to upload sensitive local data to an attacker-controlled repository.
  • EXTERNAL_DOWNLOADS (LOW): The skill performs downloads from the Hugging Face Hub. Per [TRUST-SCOPE-RULE], since the huggingface organization is a trusted source, the download risk itself is downgraded, though the risk of the downloaded content remains.
  • PROMPT_INJECTION (HIGH): The skill exhibits a significant Indirect Prompt Injection vulnerability (Category 8).
  • Ingestion points: Data is ingested through hf models info, hf datasets info, and hf spaces info (SKILL.md), which retrieve metadata and descriptions from external repositories.
  • Boundary markers: None are present to separate instructions from data.
  • Capability inventory: The skill has extensive capabilities including hf jobs run (remote execution), hf upload (data exfiltration), hf repo-files delete (file deletion), and hf endpoints deploy (resource provisioning).
  • Sanitization: There is no evidence of sanitization or filtering of the metadata fetched from the Hub. This allows an attacker to embed instructions in a model's README that, when processed by the agent, could trigger any of the high-privilege capabilities listed.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 05:29 AM