hugging-face-evaluation-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's CLI and scripts (e.g., scripts/evaluation_manager.py using ModelCard.load to read public model README content from huggingface.co and get_aa_model_data/import-aa which calls the Artificial Analysis API) fetch and parse untrusted, user-generated third-party data and then use those parsed values to construct model-index YAML and optionally create pushes/PRs, so that external content directly influences actions the tool will perform.