Trust Assessment
huggingface-tool-builder received a trust score of 25/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Prompt Injection Attempt in SKILL.md, Command Injection via unsanitized model_id in hf_model_card_frontmatter.sh.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 49abf82b). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection Attempt in SKILL.md The `SKILL.md` file, which is treated as untrusted input, contains direct instructions intended to manipulate the host LLM's behavior. This includes redefining its purpose, instructing it on how to handle environment variables (`HF_TOKEN`), and guiding its interaction with external APIs (e.g., 'DO NOT ATTEMPT to read...'). These are explicit attempts to override or influence the LLM's core instructions. Remove all direct instructions to the LLM from the untrusted `SKILL.md` content. The LLM's behavior should be governed by its system prompt, not by user-provided or skill-provided untrusted content. | LLM | SKILL.md:4 | |
| HIGH | Command Injection via unsanitized model_id in hf_model_card_frontmatter.sh The `hf_model_card_frontmatter.sh` script directly uses the `model_id` variable, which originates from user input (command-line arguments or stdin), in a call to the `hf download` command without proper sanitization. An attacker could inject shell metacharacters into `model_id` to execute arbitrary commands on the system where the skill is run. For example, `model_id='foo/bar; rm -rf /'` could lead to arbitrary code execution. Sanitize the `model_id` variable before passing it to `hf download`. This could involve validating the input against a strict regex pattern for valid Hugging Face model IDs or using a library function that safely escapes shell arguments. Alternatively, ensure `hf` CLI itself provides a safe way to handle untrusted input. | Static | references/hf_model_card_frontmatter.sh:109 | |
| HIGH | Command Injection via unsanitized URL in hf_model_papers_auth.sh The `hf_api_call` function in `hf_model_papers_auth.sh` takes a `url` argument and uses it directly within a `curl` command. If the `url` contains shell metacharacters, an attacker could inject arbitrary commands. The `model_id` variable, derived from user input, is used to construct `api_url` and `card_url`, which are then passed to `hf_api_call` or directly to `curl`. This creates a direct path for command injection. For example, `model_id='foo/bar; evil_command'` could lead to arbitrary code execution. Sanitize the `url` and `model_id` variables before they are used in `curl` commands. This can be done by validating the input against a strict URL pattern or by using a `curl` option that explicitly treats the argument as a literal URL (e.g., `--url` instead of positional argument if available, though quoting is the primary defense here). Ensure all variables passed to external commands are properly quoted and/or sanitized. | Static | references/hf_model_papers_auth.sh:64 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/huggingface-tool-builder/references/baseline_hf_api.py:13 |
Scan History
Embed Code
[](https://skillshield.io/report/69d42c74a34b828c)
Powered by SkillShield