hugging-science

SUSPICIOUS: The skill is largely coherent with its stated scientific-ML discovery purpose and uses mostly official Hugging Face surfaces, so there is no strong evidence of malware or credential harvesting. However, it asks the agent to read local `.env` secrets and, more importantly, normalizes `trust_remote_code=True` and programmatic Space usage, which create meaningful execution-trust and credential/data-forwarding risk beyond simple catalog browsing.