The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The skill's core functionality is downloading untrusted models, datasets, and code from the Hugging Face Hub (hf download). These assets can contain malicious payloads or embedded instructions designed to subvert the agent's behavior.
REMOTE_CODE_EXECUTION (HIGH): The hf jobs run and hf endpoints deploy commands allow the agent to execute arbitrary code and Docker images on remote cloud infrastructure. This capability is highly dangerous if the agent's decision-making is influenced by untrusted data from a downloaded repository.
DATA_EXFILTRATION (HIGH): The hf upload command provides a direct mechanism to send local files to external repositories. An attacker using indirect prompt injection could trick the agent into uploading sensitive files, such as .env files, SSH keys, or local databases, to a public Hugging Face repository.
COMMAND_EXECUTION (MEDIUM): The skill utilizes the hf command name. The official tool from the Hugging Face team is huggingface-cli. Providing instructions for a shorthand command that is not a standard part of the huggingface_hub package poses a risk of users running unverified or malicious binaries named 'hf'.
INDIRECT PROMPT INJECTION (HIGH):
Ingestion points: hf download <repo_id>, hf datasets info, and hf models ls results.
Boundary markers: Absent. The skill provides no instructions to the agent on how to safely handle or delimit content fetched from the Hub.
Capability inventory: Includes shell execution, file system modification, network uploads, and remote cloud compute management.
Sanitization: No sanitization or verification steps are mentioned before processing downloaded content.
CREDENTIALS_EXPOSURE (LOW): Commands like hf auth list and hf auth switch allow the agent to view and manipulate stored authentication tokens, which could be exposed in conversation logs.

hugging-face-cli