Back to skill

Security audit

Hugging Face Datasets

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as read-only dataset viewing but also instructs users to create/upload datasets and upload local agent session traces to Hugging Face.

Review this carefully before installing. Use it only if you intentionally want Hugging Face upload guidance, and do not upload agent traces or local folders unless you have checked them for secrets, PII, private prompts, and file paths; prefer private repos and narrowly selected files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is declared as a read-only Dataset Viewer API workflow, but this section expands its behavior into dataset repository creation and file uploads. That scope expansion can cause an agent or user to perform write actions, publish data unintentionally, or exfiltrate local files under the guise of a read-only exploration skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This section encourages uploading raw agent session traces from local directories such as ~/.claude, ~/.codex, and ~/.pi, which are highly likely to contain secrets, prompts, file paths, credentials, and other sensitive data. Embedding such guidance in a dataset-viewing skill materially increases the risk of sensitive local data disclosure or publication to a remote service.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation explicitly claims the skill is for read-only API calls, yet later instructions describe repo creation and uploads. That contradiction is dangerous because agents and users may trust the safety claim and then execute higher-risk write operations they did not expect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.