hugging-face-tool-builder

[Skill Scanner] Backtick command substitution detected No signs of deliberate malicious behavior in this skill manifest. The capabilities and requirements are consistent with the stated purpose: building scripts that use the Hugging Face API/CLI. Primary caution points: HF_TOKEN is sensitive (scripts must not leak it), and downloading arbitrary repo files via the hf CLI increases the risk if the user subsequently executes fetched content. No third-party exfiltration or obfuscated code is present. Overall the skill is benign but carries normal operational risks associated with executing downloaded content and handling credentials. LLM verification: The skill fragment appears benign with respect to purpose, execution flow, and data handling. The main risk areas are standard credential hygiene and avoiding leakage of HF_TOKEN in logs or shell history. The documented backtick example is a documentation artifact rather than active code. Implementers should sanitize inputs and ensure credentials are not logged. Overall footprint aligns with the goal of Hugging Face API tool building.