hugging-face-model-trainer

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The list mixes legitimate Hugging Face and GitHub documentation (low risk) with direct raw-script URLs and user-controlled Hub/Gist/raw.githubusercontent links that deliver executable code and can be trivially used to distribute malicious payloads if unvetted, so overall this is a moderate‑to‑high risk when used to auto-download/execute.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content contains high-risk remote code execution and supply-chain patterns (use of trust_remote_code=True, cloning and executing code from external repos, installing remote requirements and building binaries) that could allow arbitrary code execution or credential exfiltration in a jobs environment.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and runs public, user-provided content (e.g., inspecting arbitrary Hugging Face datasets via the Dataset Inspector which queries the Datasets Server API, and accepting scripts from public URLs on Hugging Face, GitHub, or Gists for hf_jobs), so the agent will read and act on untrusted third‑party/user‑generated content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches and executes remote scripts at runtime (for example, the GGUF conversion script clones and builds code from https://github.com/ggerganov/llama.cpp.git and the skill recommends running scripts directly from raw URLs such as https://raw.githubusercontent.com/huggingface/trl/main/... and https://huggingface.co/datasets/mcp-tools/skills/raw/main/dataset_inspector.py), so external content is fetched at runtime, executed, and relied upon for job functionality.