hugging-face-dataset-viewer
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Downloads Node.js packages including parquetlens, @parquetlens/sql, and @huggingface/hub from the npm registry using npx.
- [COMMAND_EXECUTION]: Employs shell commands such as curl, jq, and npx to interact with external APIs and manage data files.
- [REMOTE_CODE_EXECUTION]: Uses npx -y to automatically fetch and execute third-party code packages at runtime.
- [PROMPT_INJECTION]: Indirect prompt injection surface identified. 1. Ingestion points: reads data from Hugging Face datasets via /rows, /search, and /filter endpoints in SKILL.md. 2. Boundary markers: None observed in the instructions. 3. Capability inventory: subprocess execution (curl, npx) and file system access for SQL exports. 4. Sanitization: No validation or cleaning of ingested data is mentioned.
Audit Metadata