hf-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md shows the CLI fetches and reads public, user-generated Hub content — e.g., hf models card, hf datasets card, hf papers read, hf discussions (public posts/PRs), hf skills add (downloads third‑party skills), and hf jobs uv run SCRIPT / hf-mount (runs or mounts files from repo/URLs) — all of which require the agent to ingest and act on untrusted third‑party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). Flagged because the skill's installation steps fetch and execute remote shell scripts at runtime (curl -LsSf https://hf.co/cli/install.sh | bash -s and curl -fsSL https://raw.githubusercontent.com/huggingface/hf-mount/main/install.sh | sh), meaning external code is run and the skill depends on those scripts.