Back to skill
Skillv1.1.0
ClawScan security
Hugging Face CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 6:34 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it only requires the hf CLI and an HF_TOKEN and its instructions match the described Hugging Face CLI functionality; exercise caution when granting write-scoped tokens because the CLI can perform destructive actions.
- Guidance
- This skill is what it says: a wrapper around the official hf CLI. Before installing or enabling it: 1) Only provide HF_TOKEN (no other creds needed). Use a read-scoped token if you only need to browse/download; use write-scoped tokens only when necessary. 2) Be cautious persisting the token in shared shell profiles — prefer per-session or least-privilege tokens. 3) Review any hf commands the agent plans to run (some are destructive: delete repo, delete buckets, upload, deploy). 4) Install hf from official sources (pip install "huggingface_hub[cli]" or Homebrew). 5) If you want to limit risk, disable autonomous invocation for this skill or supply a read-only token while exploring.
Review Dimensions
- Purpose & Capability
- okName/description (Hugging Face CLI) align with declared requirements: it needs the 'hf' binary and HF_TOKEN. Those are expected and proportional to managing Hub models, datasets, repos, spaces, and jobs.
- Instruction Scope
- noteSKILL.md is an instruction-only skill listing many hf commands (including create/delete repo, delete buckets, deploy endpoints, run jobs). The instructions do not ask the agent to read unrelated files or env vars, but they do advise persisting HF_TOKEN in shell profiles and enumerate destructive operations—so the user/agent must limit which commands are run and prefer least-privilege tokens for non-write tasks.
- Install Mechanism
- okNo install spec is embedded in the skill (lowest risk). The doc suggests installing via pip or Homebrew (official, expected methods). Nothing in the skill attempts to download arbitrary code or write files.
- Credentials
- noteOnly HF_TOKEN is requested, which is appropriate. However, a write-scoped HF_TOKEN grants broad power (create/delete/upload, manage endpoints, run jobs). The README correctly distinguishes read vs write scopes — recommend using read-only tokens for exploration and minimal-scope tokens for other tasks.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide config changes. Autonomous invocation is allowed (platform default) — combined with a write-token this increases blast radius, so token scope matters.