hf-architecture-tikz
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
scripts/extract_arch.pyscript includes a--trust-remote-codeoption that is passed to thetransformers.AutoConfig.from_pretrainedfunction. This allows for the execution of arbitrary Python code included in a HuggingFace repository or a local model directory. - [COMMAND_EXECUTION]: The
scripts/compile.shscript executes shell commands to invoke LaTeX engines (xelatexorpdflatex) and PDF conversion tools (pdftocairo). These tools process TeX files that are dynamically generated from external model configuration data. - [EXTERNAL_DOWNLOADS]: The skill downloads model configuration files from HuggingFace using the
huggingface_hubandtransformerslibraries. HuggingFace is a well-known service for AI model hosting. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted model metadata and interpolates it into a LaTeX template without complete sanitization.
- Ingestion points: Untrusted
config.jsonfiles are downloaded from HuggingFace and parsed byscripts/extract_arch.py. - Boundary markers: The generated LaTeX source does not use specific delimiters or protective blocks to encapsulate external data.
- Capability inventory: The
scripts/compile.shscript runs a LaTeX compiler on the generated output, which can be exploited to read files or execute commands if not properly restricted. - Sanitization: While
render_tikz.pycontains anescape_texfunction, it is not applied to thequantizationsummary field intemplates/anthropic.tex.j2. A malicious configuration file could use this field to inject arbitrary LaTeX macros.
Audit Metadata