hggngf-hub

Fail

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Documents the installation of the Hugging Face CLI by downloading a script from the official Hugging Face domain and executing it in the shell environment.
  • [COMMAND_EXECUTION]: Provides instructions for executing various shell commands to manage Hugging Face repositories, sync data, and inspect environment details.
  • [DATA_EXFILTRATION]: Facilitates the transfer of local data to external repositories on the Hugging Face Hub and documents the use of authentication tokens for access control.
  • [DYNAMIC_EXECUTION]: Describes the use of tools for running Python scripts with inline dependencies and installing CLI extensions from remote GitHub repositories.
  • [METADATA_POISONING]: The skill contains deceptive metadata, specifically an 'author' field claiming to be 'Hugging Face' which conflicts with the actual provider. The skill name 'hggngf-hub' also appears to be a variation of the official service name designed to mislead users about its provenance.
Recommendations
  • HIGH: Downloads and executes remote code from: https://hf.co/cli/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 24, 2026, 01:35 AM
Security Audit — agent-trust-hub — hggngf-hub