hf-architecture-tikz

Warn

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The scripts/extract_arch.py script includes a --trust-remote-code option that is passed to the transformers.AutoConfig.from_pretrained function. This allows for the execution of arbitrary Python code included in a HuggingFace repository or a local model directory.
  • [COMMAND_EXECUTION]: The scripts/compile.sh script executes shell commands to invoke LaTeX engines (xelatex or pdflatex) and PDF conversion tools (pdftocairo). These tools process TeX files that are dynamically generated from external model configuration data.
  • [EXTERNAL_DOWNLOADS]: The skill downloads model configuration files from HuggingFace using the huggingface_hub and transformers libraries. HuggingFace is a well-known service for AI model hosting.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted model metadata and interpolates it into a LaTeX template without complete sanitization.
  • Ingestion points: Untrusted config.json files are downloaded from HuggingFace and parsed by scripts/extract_arch.py.
  • Boundary markers: The generated LaTeX source does not use specific delimiters or protective blocks to encapsulate external data.
  • Capability inventory: The scripts/compile.sh script runs a LaTeX compiler on the generated output, which can be exploited to read files or execute commands if not properly restricted.
  • Sanitization: While render_tikz.py contains an escape_tex function, it is not applied to the quantization summary field in templates/anthropic.tex.j2. A malicious configuration file could use this field to inject arbitrary LaTeX macros.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 23, 2026, 06:09 AM
Security Audit — agent-trust-hub — hf-architecture-tikz