Hugging Face
v1.0.0Discover, evaluate, and run Hugging Face models, datasets, and spaces with license checks, benchmark prompts, and reproducible integration plans.
⭐ 0· 347·0 current·0 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match what the SKILL.md and companion docs do: discover models/datasets/spaces, run hosted inference, benchmark, and store local notes. Required binaries (curl, jq), HF_TOKEN, and ~/hugging-face/ config path are coherent with API calls and local memory described.
Instruction Scope
Runtime instructions explicitly show the Hugging Face discovery and inference endpoints and example curl commands. The docs limit external data to search terms and inference payloads, instruct not to send local files or secrets, and describe creating only the declared ~/hugging-face/ files. There is no instruction to read unrelated system files or contact unexpected endpoints.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. This is low-risk: nothing is downloaded or written beyond optional local memory files the user must approve.
Credentials
The skill requires a single env var HF_TOKEN, which is appropriate for calling the Hugging Face Inference API. Minor metadata inconsistency: registry metadata lists no primary credential while the SKILL.md and docs require HF_TOKEN. HF_TOKEN usage is limited to the documented API calls in inference.md.
Persistence & Privilege
The skill requests a local config path (~/hugging-face/) for memory and artifacts; setup explicitly asks for user approval before creating files and sets restrictive permissions. always:false and no system-wide modifications are requested.
Assessment
This skill appears internally consistent: it will call Hugging Face APIs and requires an HF_TOKEN and a ~/hugging-face/ folder for local memory. Before installing: 1) Only provide an HF_TOKEN with minimal necessary scope and be prepared to rotate it if needed. 2) Confirm you trust Hugging Face for any inputs you send (search terms and inference payloads will leave your machine). 3) Approve creation of ~/hugging-face/ and check the files it creates; the setup recommends secure file permissions but verify them after creation. 4) Note the small metadata mismatch (primary credential not marked even though HF_TOKEN is required) — this is likely benign but you can ask the publisher to fix it. If you need stricter control, avoid setting HF_TOKEN globally in your shell and instead provide it only in a session when performing runs.Like a lobster shell, security has layers — review code before you run it.
latestvk97dkftrsjjq4dfe3m4r119mbd820232
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
HF Clawdis
OSLinux · macOS · Windows
Binscurl, jq
EnvHF_TOKEN
Config~/hugging-face/