hugging-face-paper-publisher
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFENO_CODECOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [NO_CODE]: The skill's functionality relies entirely on an external Python script located at
scripts/paper_manager.py. This script is not included in the provided file list, making it impossible to verify its actual behavior or security. - [COMMAND_EXECUTION]: Usage instructions heavily involve executing shell commands via
uv run scripts/paper_manager.py. These commands perform sensitive operations including repository metadata modification and authorship claims. - [CREDENTIALS_UNSAFE]: The skill requires the
HF_TOKENenvironment variable to be configured with write-access permissions. While necessary for the stated functionality, the exposure of high-privilege tokens to an unverified script is a security risk. - [DATA_EXFILTRATION]: The skill uses
requestsandhuggingface_hubto interact with external APIs (arXiv and Hugging Face). Without the source code for the manager script, it cannot be confirmed that the sensitiveHF_TOKENor other local data is not being exfiltrated to unauthorized domains. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8). It ingests untrusted data from external sources (arXiv metadata) and user-supplied files (
citation.txt,abstract.txt) and interpolates this content into repository READMEs and YAML metadata. - Ingestion points: arXiv ID metadata fetching,
--citationand--abstractcommand arguments. - Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are present in the provided templates.
- Capability inventory: The
paper_manager.pyscript possesses file-write and network communication capabilities. - Sanitization: No sanitization or validation of the external content is documented or verifiable.
Audit Metadata