ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Huggingface Trends

v1.0.0

Monitor and fetch trending models from Hugging Face with support for filtering by task, library, and popularity metrics. Use when users want to check trending AI models, compare model popularity, or explore popular models by task or library. Supports export to JSON and formatted output.

1· 1.1k·4 current·4 all-time
by@tianxingleo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script and SKILL.md: the Python script calls the Hugging Face /models API, sorts/filter results, formats output, and can export JSON. No unrelated binaries or credentials are requested.
Instruction Scope
Runtime instructions only call the included script and show examples (including cron and programmatic usage). Examples reference a local proxy (http://172.28.96.1:10808) and a user-specific path (/home/ltx/...) — these are environment-specific examples, not required operations. The SKILL.md does show shell snippets (e.g., using ip route/awk) to construct a proxy URL; those are examples and not embedded backdoor behavior, but they would execute on the host if a user ran them.
Install Mechanism
No install spec; this is instruction-only with an included Python script. The only dependency is the requests package (the SKILL.md tells users to pip install requests). No downloads from remote URLs or archive extraction are used.
Credentials
The skill requires no environment variables, credentials, or config paths. Network access is needed to call the Hugging Face API and an optional HTTP proxy can be supplied; this is proportionate to the stated functionality.
Persistence & Privilege
The skill is not forced-always and does not modify other skills or system-wide settings. The cron example in SKILL.md is user-provided guidance only and not an automatic action by the skill.
Assessment
This skill appears coherent and low-risk for its stated purpose, but review these practical points before installing or running it: 1) Inspect the included script (already provided) to confirm it meets your expectations — it only performs GET requests to Hugging Face and writes JSON if requested. 2) Do not blindly use the example proxy (http://172.28.96.1:10808); verify you control or trust any proxy you configure, since traffic will route through it. 3) The SKILL.md shows a cron example with a specific home path (/home/ltx/...); adjust paths to your environment and avoid running scheduled jobs as root. 4) Install dependencies (pip install requests) in a virtualenv if you prefer containment. 5) If your environment has strict network policies, confirm that outgoing HTTPS to huggingface.co (or the chosen proxy) is permitted. 6) If you need higher assurance, run the script in a sandboxed environment first to observe network behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk978d719sht1xmm2rfzvft8ych810aew

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments