hugging-face-jobs

This skill is documentation for using Hugging Face Jobs and does not itself contain malicious code. Its capabilities (submitting remote jobs, passing HF_TOKEN, pushing to Hub, uploading to S3, calling external APIs, using webhooks and third-party images) are coherent with the stated purpose. The primary risks are operational and supply-chain: accidental credential exposure (particularly if env or hardcoded tokens are used), exfiltration to arbitrary external endpoints if user scripts send sensitive outputs, and executing remote scripts or third-party container images that could be compromised. These are legitimate features but require cautious use of secrets, verification of script/image provenance, and avoiding env or hardcoded tokens. Overall, expect moderate security risk from misuse or poor operational hygiene rather than inherent malicious behavior in the skill content.