From 5698a43b5343a475fe5a5d11527c8d3ef891091f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 12:12:51 +0000 Subject: [PATCH 1/4] chore(deps): update huggingface/skills digest to acd2bf5 --- skills/hf-cli/spec.yaml | 2 +- skills/hf-mcp/spec.yaml | 2 +- skills/huggingface-community-evals/spec.yaml | 2 +- skills/huggingface-datasets/spec.yaml | 2 +- skills/huggingface-gradio/spec.yaml | 2 +- skills/huggingface-llm-trainer/spec.yaml | 2 +- skills/huggingface-paper-publisher/spec.yaml | 2 +- skills/huggingface-papers/spec.yaml | 2 +- skills/huggingface-tool-builder/spec.yaml | 2 +- skills/huggingface-trackio/spec.yaml | 2 +- skills/huggingface-vision-trainer/spec.yaml | 2 +- skills/transformers-js/spec.yaml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/skills/hf-cli/spec.yaml b/skills/hf-cli/spec.yaml index 2971236d..8d4b5598 100644 --- a/skills/hf-cli/spec.yaml +++ b/skills/hf-cli/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/hf-cli" version: "0.1.0" diff --git a/skills/hf-mcp/spec.yaml b/skills/hf-mcp/spec.yaml index d7e0ce25..4b7c1c27 100644 --- a/skills/hf-mcp/spec.yaml +++ b/skills/hf-mcp/spec.yaml @@ -11,7 +11,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "hf-mcp/skills/hf-mcp" version: "0.1.0" diff --git a/skills/huggingface-community-evals/spec.yaml b/skills/huggingface-community-evals/spec.yaml index 6edf6622..32380489 100644 --- a/skills/huggingface-community-evals/spec.yaml +++ b/skills/huggingface-community-evals/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/huggingface-community-evals" version: "0.1.0" diff --git a/skills/huggingface-datasets/spec.yaml b/skills/huggingface-datasets/spec.yaml index 4aa75ab5..29732fb6 100644 --- a/skills/huggingface-datasets/spec.yaml +++ b/skills/huggingface-datasets/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/huggingface-datasets" version: "0.1.0" diff --git a/skills/huggingface-gradio/spec.yaml b/skills/huggingface-gradio/spec.yaml index 9db903e6..c4fda386 100644 --- a/skills/huggingface-gradio/spec.yaml +++ b/skills/huggingface-gradio/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/huggingface-gradio" version: "0.1.0" diff --git a/skills/huggingface-llm-trainer/spec.yaml b/skills/huggingface-llm-trainer/spec.yaml index e52bd1d3..eef11a05 100644 --- a/skills/huggingface-llm-trainer/spec.yaml +++ b/skills/huggingface-llm-trainer/spec.yaml @@ -12,7 +12,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/huggingface-llm-trainer" version: "0.1.0" diff --git a/skills/huggingface-paper-publisher/spec.yaml b/skills/huggingface-paper-publisher/spec.yaml index 5a26501c..5198a63b 100644 --- a/skills/huggingface-paper-publisher/spec.yaml +++ b/skills/huggingface-paper-publisher/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/huggingface-paper-publisher" version: "0.1.0" diff --git a/skills/huggingface-papers/spec.yaml b/skills/huggingface-papers/spec.yaml index bfe0e373..726b0f22 100644 --- a/skills/huggingface-papers/spec.yaml +++ b/skills/huggingface-papers/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/huggingface-papers" version: "0.1.0" diff --git a/skills/huggingface-tool-builder/spec.yaml b/skills/huggingface-tool-builder/spec.yaml index e45ca505..46a1b9a6 100644 --- a/skills/huggingface-tool-builder/spec.yaml +++ b/skills/huggingface-tool-builder/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/huggingface-tool-builder" version: "0.1.0" diff --git a/skills/huggingface-trackio/spec.yaml b/skills/huggingface-trackio/spec.yaml index e18375ab..c640c69d 100644 --- a/skills/huggingface-trackio/spec.yaml +++ b/skills/huggingface-trackio/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/huggingface-trackio" version: "0.1.0" diff --git a/skills/huggingface-vision-trainer/spec.yaml b/skills/huggingface-vision-trainer/spec.yaml index f61e6020..2031d20d 100644 --- a/skills/huggingface-vision-trainer/spec.yaml +++ b/skills/huggingface-vision-trainer/spec.yaml @@ -11,7 +11,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/huggingface-vision-trainer" version: "0.1.0" diff --git a/skills/transformers-js/spec.yaml b/skills/transformers-js/spec.yaml index 23752663..bf4360f3 100644 --- a/skills/transformers-js/spec.yaml +++ b/skills/transformers-js/spec.yaml @@ -9,7 +9,7 @@ metadata: spec: repository: "https://github.com/huggingface/skills" - ref: "061ab494cb145f43ae8f218939b99160e2c61c58" # main as of 2026-04-16 + ref: "acd2bf5a7126994e15143bec061fe87a882811f3" # main as of 2026-04-16 path: "skills/transformers-js" version: "0.1.0" From b4b708dcfed7c3ab3c2c5e5dc0047199bb1120d2 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Mon, 27 Apr 2026 15:38:48 +0300 Subject: [PATCH 2/4] security(hf-skills): allowlist FP findings on hf-cli and huggingface-llm-trainer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - hf-cli: ATR_HIGH_RISK_TOOL_GATE matches 'delete' in documented hf CLI subcommands (hf repos delete, hf buckets delete, etc.) — same FP as Firebase/Datadog CLI skills. - huggingface-llm-trainer: behavioral env-var-exfiltration findings (single and crossfile) match HF helper scripts that read HF_TOKEN and call huggingface.co — the legitimate auth pattern. Verified scripts hardcode BASE_URL='https://huggingface.co', so source==sink. --- skills/hf-cli/spec.yaml | 9 +++++++++ skills/huggingface-llm-trainer/spec.yaml | 22 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/skills/hf-cli/spec.yaml b/skills/hf-cli/spec.yaml index 8d4b5598..c88996d8 100644 --- a/skills/hf-cli/spec.yaml +++ b/skills/hf-cli/spec.yaml @@ -23,3 +23,12 @@ security: reason: "huggingface/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter." - rule_id: PIPELINE_TAINT_FLOW reason: "The skill's prerequisites cite the official `hf` CLI installer (`curl -LsSf https://hf.co/cli/install.sh | bash`) and the `hf-mount` installer (`curl -fsSL https://raw.githubusercontent.com/huggingface/hf-mount/main/install.sh | sh`) as documented install commands. The scanner itself flags both as 'instructional install text in SKILL.md'." + - rule_id: ATR_HIGH_RISK_TOOL_GATE + reason: | + False positive - matches on the word `delete` in SKILL.md, where the + skill documents official `hf` CLI subcommands (e.g., `hf repos delete`, + `hf buckets delete`, `hf repos delete-files`, `hf spaces volumes delete`, + `hf webhooks delete`, `hf endpoints delete`). These are documented + Hugging Face CLI subcommands a user explicitly invokes against their own + HF account, not autonomous high-risk tool calls. Verified at digest + acd2bf5a7126994e15143bec061fe87a882811f3. diff --git a/skills/huggingface-llm-trainer/spec.yaml b/skills/huggingface-llm-trainer/spec.yaml index eef11a05..d5d4ae2e 100644 --- a/skills/huggingface-llm-trainer/spec.yaml +++ b/skills/huggingface-llm-trainer/spec.yaml @@ -32,3 +32,25 @@ security: reason: "The bundled `scripts/convert_to_gguf.py` references `sudo apt-get install` / `sudo yum install` for optional system packages (build tools) when converting trained models to GGUF format. These run in ephemeral HF Jobs containers, not on the user's host. The script is HF-authored and documented in SKILL.md." - rule_id: DATA_EXFIL_NETWORK_REQUESTS reason: "Bundled helper scripts (`scripts/dataset_inspector.py`, `scripts/hf_benchmarks.py`) use `urllib.request` to query the public Hugging Face Hub API for dataset validation and benchmark lookups — documented workflow steps required by the skill." + - rule_id: BEHAVIOR_ENV_VAR_EXFILTRATION + reason: | + False positive - matches `scripts/hf_benchmarks.py` reading `HF_TOKEN` + from env (line 122) and using it to authenticate `urllib.request` calls. + The destination URL is hardcoded to `BASE_URL = "https://huggingface.co"` + — the same domain that issues HF_TOKEN. This is the standard, intended + HF API authentication pattern, not credential exfiltration. Verified at + digest acd2bf5a7126994e15143bec061fe87a882811f3. + - rule_id: BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION + reason: | + False positive - same root cause as BEHAVIOR_ENV_VAR_EXFILTRATION. + `scripts/unsloth_sft_example.py` and `scripts/hf_benchmarks.py` both + read HF_TOKEN/hfjob env vars and make network calls to huggingface.co + for legitimate API usage (training job submission, benchmark queries). + No data leaves the HF ecosystem. Verified at digest + acd2bf5a7126994e15143bec061fe87a882811f3. + - rule_id: BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN + reason: | + False positive - the alleged "chain" is two HF helper scripts each + calling the public Hugging Face Hub API with HF_TOKEN auth. There is + no third-party transmission; both source and sink are huggingface.co. + Verified at digest acd2bf5a7126994e15143bec061fe87a882811f3. From 2074990e25f9d2223b75b7a870f985e83d9dccc1 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Mon, 27 Apr 2026 15:54:47 +0300 Subject: [PATCH 3/4] security(hf-cli): allowlist ATR_MCP_MALICIOUS_RESPONSE for documented installers Same root cause as PIPELINE_TAINT_FLOW already allowlisted - matches the official hf and hf-mount installer commands in SKILL.md. --- skills/hf-cli/spec.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/skills/hf-cli/spec.yaml b/skills/hf-cli/spec.yaml index c88996d8..542fea8e 100644 --- a/skills/hf-cli/spec.yaml +++ b/skills/hf-cli/spec.yaml @@ -32,3 +32,13 @@ security: Hugging Face CLI subcommands a user explicitly invokes against their own HF account, not autonomous high-risk tool calls. Verified at digest acd2bf5a7126994e15143bec061fe87a882811f3. + - rule_id: ATR_MCP_MALICIOUS_RESPONSE + reason: | + Same root cause as PIPELINE_TAINT_FLOW above - matches the official + `hf` CLI installer (`curl -LsSf https://hf.co/cli/install.sh | bash`, + SKILL.md:1) and the `hf-mount` installer + (`curl -fsSL https://raw.githubusercontent.com/huggingface/hf-mount/main/install.sh | sh`, + SKILL.md:180). These are documented install commands hard-coded in + SKILL.md, not MCP tool responses. Both endpoints are official Hugging + Face installer URLs. Verified at digest + acd2bf5a7126994e15143bec061fe87a882811f3. From d927d3ecbb6c460f3d11bce7af16b042987e5b90 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Mon, 27 Apr 2026 16:03:09 +0300 Subject: [PATCH 4/4] security(huggingface-paper-publisher): allowlist BEHAVIOR_*_ENV_VAR_EXFILTRATION FPs Same root cause as huggingface-llm-trainer: scripts/paper_manager.py reads HF_TOKEN and calls huggingface.co (token issuer == network destination). The crossfile/single-file detections both flag this benign HF API auth. --- skills/huggingface-paper-publisher/spec.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/skills/huggingface-paper-publisher/spec.yaml b/skills/huggingface-paper-publisher/spec.yaml index 5198a63b..0c556f7e 100644 --- a/skills/huggingface-paper-publisher/spec.yaml +++ b/skills/huggingface-paper-publisher/spec.yaml @@ -27,3 +27,20 @@ security: reason: "The skill uses network access through its bundled `paper_manager.py` script (as its documented workflow), but does not declare an explicit network-access tool in frontmatter. All network calls target the public Hugging Face Hub API documented in the SKILL.md." - rule_id: FILE_MAGIC_MISMATCH reason: "`templates/modern.md` is a paper template that legitimately uses Handlebars-style `{{}}` substitution syntax. Magika detects the Handlebars markers and flags the format mismatch; the file is plain text documentation and safe." + - rule_id: BEHAVIOR_ENV_VAR_EXFILTRATION + reason: | + False positive - matches `scripts/paper_manager.py` reading `HF_TOKEN` + (line 44) and making `requests.get()` calls to + `https://huggingface.co/papers/{arxiv_id}` (lines 69, 98, 179, 215) and + `https://export.arxiv.org/api/query` (line 352, no token sent). This + is the standard, intended HF API auth pattern — token issued by + huggingface.co is sent back to huggingface.co. Source domain == sink + domain. Verified at digest acd2bf5a7126994e15143bec061fe87a882811f3. + - rule_id: BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION + reason: | + False positive - same root cause as BEHAVIOR_ENV_VAR_EXFILTRATION + above. The "crossfile" detection is from `paper_manager.py` reading + env vars and triggering its own network helpers within the same file/ + module. All network destinations are huggingface.co or + export.arxiv.org. Verified at digest + acd2bf5a7126994e15143bec061fe87a882811f3.