Huggingface Trends

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Hugging Face model-trends helper with disclosed network access, optional JSON export, and an optional manual cron example.

Install this only if you want a command-line tool that contacts Hugging Face for public model metadata. Use a trusted proxy or omit the proxy if direct access works, choose JSON output paths carefully to avoid overwriting files, and add the cron example only if you deliberately want daily background runs and log files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation instructs users to perform network access to Hugging Face and optionally write JSON output files, but the skill metadata shown in this file does not declare corresponding permissions. That mismatch can bypass user expectations and platform governance, making network exfiltration or unintended file creation harder to audit even if the described behavior is legitimate for the skill’s purpose.

Session Persistence

Medium

Category: Rogue Agent
Content: Check trending models daily for new releases: ```bash # Create cron job for daily monitoring 0 9 * * * cd /home/ltx/.openclaw/workspace && \ /home/ltx/.openclaw/workspace/skills/huggingface-trends/scripts/hf_trends.py \ -n 20 -p http://172.28.96.1:10808 >> /tmp/hf-trends.log 2>&1
Confidence: 87% confidence
Finding: Create cron job for

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal