Back to skill

Security audit

Hugging Face LoRA Space Builder

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it asks users to paste a write-capable Hugging Face token into chat and may reuse that token as a Space secret.

Review carefully before installing. Prefer using an existing secure Hugging Face login or a fine-grained token limited to the specific repo/Space, and avoid pasting long-lived write tokens into chat. Inspect any generated Space code before publishing, especially dependencies, git installs, external CDN scripts, and whether HF_TOKEN is stored as a Space secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to ask the user to paste a Hugging Face access token with write scope directly into chat. Requesting long-lived credentials in chat creates a high risk of secret exposure through logs, transcripts, downstream tools, or accidental reuse beyond the intended purpose.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guidance explicitly instructs builders to inject third-party JavaScript into Gradio pages via remote CDNs. In this skill’s context, that means generated Spaces may execute untrusted external code in users’ browsers, creating supply-chain and privacy risks if the CDN asset is compromised, changed, blocked, or instrumented to exfiltrate prompts, images, tokens, or interaction data.

Ssd 3

High
Confidence
99% confidence
Finding
This instruction operationalizes credential collection by telling the agent to solicit a write-scoped token once and reuse it later for publishing. That materially increases the blast radius: a leaked token can both read private/gated models and modify or create user resources on Hugging Face.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.