Hugging Face
v1.0.2Hugging Face integration. Manage Models, Datasets, Spaces. Use when the user wants to interact with Hugging Face data.
⭐ 0· 102·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Hugging Face integration) aligns with the instructions: the SKILL.md documents using the Membrane CLI to connect to Hugging Face and run actions to list, create, update, move, and delete repositories, models, datasets, and Spaces. Requiring a Membrane account and network access is consistent with this purpose.
Instruction Scope
Instructions are limited to installing and using the Membrane CLI and then creating/running Membrane actions or proxying requests to the Hugging Face API. This is appropriate, but the documented actions include destructive operations (delete-repository, move-repository, duplicate-repository, update-model-settings) and allow arbitrary proxied API requests, so the agent (or user) could perform sensitive changes to your Hugging Face account if authorized.
Install Mechanism
No automated install spec is included (instruction-only). The SKILL.md instructs users to run `npm install -g @membranehq/cli`, which is a typical client-side install but will place a third-party CLI on the system. That is standard but requires trusting the @membranehq/cli package and its source.
Credentials
The skill declares no required environment variables or credentials; authentication is handled interactively by the Membrane CLI (browser login / connection flow). This is proportionate, though it means Membrane will hold credentials/access tokens for the Hugging Face connection once you perform the login/connection step.
Persistence & Privilege
The skill is not marked always:true and is user-invocable; it does not request persistent system-level privileges in the metadata. Any persistence of credentials/configuration is performed by the Membrane CLI (outside the skill) during interactive login, which is expected for this integration.
Assessment
This skill delegates Hugging Face access to the third-party Membrane CLI. Before installing or using it: 1) Understand that connecting will grant Membrane access to your Hugging Face account and the ability to run destructive actions (delete/move repositories, change visibility, etc.). 2) Review the @membranehq/cli npm package and Membrane's privacy/security docs and repository (e.g., the referenced GitHub org) to verify authenticity. 3) Prefer performing initial tests on a non-production Hugging Face account or a sandbox repository. 4) When running actions, verify connectionId and action input before executing, and avoid running proxied arbitrary requests unless you trust the CLI and know exactly what will be sent. 5) If you cannot or do not want to trust a third-party CLI, do not install globally or grant the connection; consider using an official Hugging Face client or direct API access instead.Like a lobster shell, security has layers — review code before you run it.
latestvk975yra6tvan29g08f2zv1gph1843jgy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.