hugging-face-tool-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to indirect prompt injection from Hugging Face model cards. 1. Ingestion points: Scripts like hf_model_card_frontmatter.sh and hf_model_papers_auth.sh fetch README.md files and metadata from the Hugging Face Hub. 2. Boundary markers: No delimiters or explicit instructions are used to separate untrusted external content from the agent's reasoning process. 3. Capability inventory: The skill is explicitly designed to create and test/execute shell, Python, and TSX scripts. 4. Sanitization: No sanitization or filtering is performed on retrieved content before it is processed for script generation.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies heavily on executing shell commands and instructs the agent to test the scripts it builds. This provides a direct path for malicious instructions to reach the system.
- [REMOTE_CODE_EXECUTION] (LOW): While the skill does not pipe remote scripts directly into a shell, it retrieves data from the internet (Hugging Face API and Hub) that is then processed by a component with code generation and execution capabilities.
- [DYNAMIC_EXECUTION] (MEDIUM): The script hf_model_card_frontmatter.sh uses Python heredocs to generate and execute code at runtime for parsing frontmatter.
Recommendations
- AI detected serious security threats
Audit Metadata