hggngf-hub
Fail
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Documents the installation of the Hugging Face CLI by downloading a script from the official Hugging Face domain and executing it in the shell environment.
- [COMMAND_EXECUTION]: Provides instructions for executing various shell commands to manage Hugging Face repositories, sync data, and inspect environment details.
- [DATA_EXFILTRATION]: Facilitates the transfer of local data to external repositories on the Hugging Face Hub and documents the use of authentication tokens for access control.
- [DYNAMIC_EXECUTION]: Describes the use of tools for running Python scripts with inline dependencies and installing CLI extensions from remote GitHub repositories.
- [METADATA_POISONING]: The skill contains deceptive metadata, specifically an 'author' field claiming to be 'Hugging Face' which conflicts with the actual provider. The skill name 'hggngf-hub' also appears to be a variation of the official service name designed to mislead users about its provenance.
Recommendations
- HIGH: Downloads and executes remote code from: https://hf.co/cli/install.sh - DO NOT USE without thorough review
Audit Metadata