hugging-science
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it fetches scientific metadata (descriptions and tags) from an external catalog at
huggingscience.co. This untrusted content is ingested into the agent's context, potentially allowing an attacker who controls the catalog content to influence the agent's behavior. - Ingestion points: Data is fetched via
scripts/fetch_catalog.pyfromhuggingscience.co(includingllms.txt,llms-full.txt, and domain-specific markdown files). - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions when processing the external catalog data.
- Capability inventory: The agent has the capability to perform network operations, read/write local files (like
.env), and execute arbitrary Python code via thetrust_remote_codemechanism. - Sanitization: The skill does not perform sanitization or validation on the descriptive text retrieved from the external source.
- [REMOTE_CODE_EXECUTION]: The skill documents the use of the
trust_remote_code=Trueflag when loading specialized scientific models from Hugging Face. This is a standard but sensitive feature that allows the execution of arbitrary Python code included in a model's repository. The skill provides explicit warnings to the user regarding the safety implications of this flag and advises caution. - [EXTERNAL_DOWNLOADS]: The skill fetches curated scientific resource lists from
huggingscience.co. It also provides instructions for downloading models and datasets from Hugging Face, which is a well-known and established service. - [CREDENTIALS_UNSAFE]: The skill includes guidance for handling Hugging Face API tokens (
HF_TOKEN). It adheres to security best practices by recommending that secrets be stored in.envfiles and that these files be excluded from version control via.gitignore.
Audit Metadata