Trust Assessment
hugging-face-datasets received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include SQL Injection via user-provided SQL query, Arbitrary File Write via export command, Data Exfiltration to Hugging Face Hub.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The llm_behavioral_safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 3f4f55d6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | SQL Injection via user-provided SQL query The `sql_manager.py` script directly executes SQL queries provided by the user via the `--sql` argument without proper sanitization. An attacker can inject arbitrary SQL commands into the DuckDB database, potentially accessing, modifying, or deleting data beyond the intended scope, or performing other malicious operations if DuckDB's SQL dialect allows for file system access or other system commands. Implement robust input validation and sanitization for the `--sql` argument. Ideally, use parameterized queries or a SQL query builder that prevents direct injection of user-supplied strings into the query. If direct SQL input is necessary, restrict allowed SQL keywords and patterns, or run queries with a highly restricted user/role. | Unknown | scripts/sql_manager.py:90 | |
| HIGH | Arbitrary File Write via export command The `sql_manager.py` script's `export` command allows users to specify an arbitrary local file path via the `--output` argument. This path is directly used in a DuckDB `COPY` statement to write query results. An attacker can exploit this to write to any location on the file system where the agent has write permissions, potentially overwriting critical system files or placing malicious content. Restrict the `--output` path to a designated safe directory (e.g., a temporary directory or a user-specific output folder). Implement strict validation to prevent directory traversal (`../`) and absolute paths outside the allowed scope. | Unknown | scripts/sql_manager.py:260 | |
| HIGH | Data Exfiltration to Hugging Face Hub The `sql_manager.py` script's `query` and `transform` commands, combined with the `--push-to` argument, allow users to upload the results of a SQL query to a new Hugging Face repository. When combined with the SQL injection vulnerability, an attacker could craft a query to extract sensitive data from any accessible Hugging Face dataset and then push that data to a new, potentially public, repository under their control, leading to unauthorized data exfiltration. In addition to addressing SQL injection, consider implementing stricter access controls for the `--push-to` functionality. For example, restrict target repositories to specific organizations or user namespaces, or require explicit approval for pushing to public repositories. Ensure the `HF_TOKEN` used has the least necessary privileges. | Unknown | scripts/sql_manager.py:200 | |
| MEDIUM | Hugging Face Token Exposure within DuckDB Context Both `dataset_manager.py` and `sql_manager.py` access the `HF_TOKEN` environment variable, which is required to have write access. In `sql_manager.py`, this token is explicitly registered as a secret within the DuckDB connection using `CREATE SECRET hf_token (TYPE HUGGINGFACE, TOKEN '{self.token}');`. This makes the sensitive token directly available within the SQL execution context. While necessary for functionality, this direct exposure increases the risk of the token being compromised or misused, especially when combined with the SQL injection vulnerability. Review if the `HF_TOKEN` needs to be directly exposed to the SQL context via `CREATE SECRET`. If possible, abstract operations requiring the token away from direct SQL execution. Ensure the `HF_TOKEN` is scoped with the principle of least privilege, granting only the necessary permissions for the skill's intended operations. Consider using temporary or short-lived tokens if feasible. | Unknown | scripts/sql_manager.py:46 |
Scan History
Embed Code
[](https://skillshield.io/report/9efb40be2f52ff25)
Powered by SkillShield