hf-papers-reporter
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The shell scripts
video-project/scripts/generate_audio.shandvideo-project/scripts/render.shcontain hardcoded absolute paths (e.g.,/Users/xdrshjr/...) and execute external Python scripts from outside the skill's own directory. This creates a significant security risk by introducing unverified dependencies on code at specific filesystem locations. - [EXTERNAL_DOWNLOADS] (SAFE): The skill is designed to download research papers from
huggingface.coandarxiv.org. These sources are consistent with the skill's primary purpose. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill ingests untrusted content from external papers which are then used as inputs for TTS and document generation.
- Ingestion points: Hugging Face paper metadata and arXiv PDF content.
- Boundary markers: None detected in the provided code.
- Capability inventory: File system writing, network requests, and execution of shell commands.
- Sanitization: Documentation mentions basic removal of XML control characters, but there is no evidence of robust sanitization for paper content used in the video project or generated reports.
- [MISSING_SOURCE] (HIGH): The core script
scripts/process_papers.py, which is responsible for the scraping and PDF processing, is missing from the provided files. Its absence makes it impossible to verify the skill's core safety and data handling practices.
Recommendations
- AI detected serious security threats
Audit Metadata