hugging-science
Warn
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions in
SKILL.mdandreferences/using-models.mdexplicitly direct the agent to use thetrust_remote_code=Trueparameter when loading models via thetransformerslibrary. This allows the execution of arbitrary Python code shipped within the remote Hugging Face repository, bypassing standard sandboxing and creating a significant execution risk if a repository is compromised or malicious. - [COMMAND_EXECUTION]: The skill utilizes a bundled Python script
scripts/fetch_catalog.pywhich is executed via shell commands to retrieve and parse structured data from the catalog. While the script itself is benign, it establishes a pattern of local command execution. - [EXTERNAL_DOWNLOADS]: The skill performs network operations to fetch catalog data and model/dataset assets from
https://huggingscience.coandhttps://huggingface.co. While these are legitimate services associated with the skill's purpose, they represent external data dependencies. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: The agent fetches and parses markdown topic files from
huggingscience.coand reads model/dataset descriptions from the Hugging Face Hub. - Boundary markers: There are no explicit instructions or delimiters used to warn the agent to ignore potentially malicious instructions embedded in the fetched catalog content.
- Capability inventory: The skill has the ability to execute shell commands (
scripts/fetch_catalog.py), perform remote code execution (trust_remote_code=True), and conduct network operations (gradio_client). - Sanitization: The
fetch_catalog.pyscript parses content using regular expressions but does not perform sanitization or validation of the description text before it is presented to the agent.
Audit Metadata