Skip to content

chore(deps): update huggingface/skills digest to 35c1c60#593

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/huggingface-skills-digest
Open

chore(deps): update huggingface/skills digest to 35c1c60#593
renovate[bot] wants to merge 1 commit intomainfrom
renovate/huggingface-skills-digest

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 30, 2026
edited
Loading

This PR contains the following updates:

Package Update Change
huggingface/skills digest 904a2f935c1c60

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

🛡️ Skill Security Scan Results

✅ hf-cli

  • Status: Passed
  • Findings: 8
  • Allowed (not blocking): 2
    • PIPELINE_TAINT_FLOW (Allowed: The skill's prerequisites cite the official hf CLI installer (curl -LsSf https://hf.co/cli/install.sh | bash) and the hf-mount installer (curl -fsSL https://raw.githubusercontent.com/huggingface/hf-mount/main/install.sh | sh) as documented install commands. The scanner itself flags both as 'instructional install text in SKILL.md'.)
    • PIPELINE_TAINT_FLOW (Allowed: The skill's prerequisites cite the official hf CLI installer (curl -LsSf https://hf.co/cli/install.sh | bash) and the hf-mount installer (curl -fsSL https://raw.githubusercontent.com/huggingface/hf-mount/main/install.sh | sh) as documented install commands. The scanner itself flags both as 'instructional install text in SKILL.md'.)

✅ hf-mcp

  • Status: Passed
  • Findings: 6
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: huggingface/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ huggingface-community-evals

  • Status: Passed
  • Findings: 4

✅ huggingface-datasets

  • Status: Passed
  • Findings: 5
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: huggingface/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ huggingface-gradio

  • Status: Passed
  • Findings: 4
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: huggingface/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ huggingface-llm-trainer

  • Status: Passed
  • Findings: 9
  • Allowed (not blocking): 5
    • TOOL_ABUSE_SYSTEM_PACKAGE_INSTALL (Allowed: The bundled scripts/convert_to_gguf.py references sudo apt-get install / sudo yum install for optional system packages (build tools) when converting trained models to GGUF format. These run in ephemeral HF Jobs containers, not on the user's host. The script is HF-authored and documented in SKILL.md.)
    • TOOL_ABUSE_SYSTEM_PACKAGE_INSTALL (Allowed: The bundled scripts/convert_to_gguf.py references sudo apt-get install / sudo yum install for optional system packages (build tools) when converting trained models to GGUF format. These run in ephemeral HF Jobs containers, not on the user's host. The script is HF-authored and documented in SKILL.md.)
    • DATA_EXFIL_NETWORK_REQUESTS (Allowed: Bundled helper scripts (scripts/dataset_inspector.py, scripts/hf_benchmarks.py) use urllib.request to query the public Hugging Face Hub API for dataset validation and benchmark lookups — documented workflow steps required by the skill.)
    • DATA_EXFIL_NETWORK_REQUESTS (Allowed: Bundled helper scripts (scripts/dataset_inspector.py, scripts/hf_benchmarks.py) use urllib.request to query the public Hugging Face Hub API for dataset validation and benchmark lookups — documented workflow steps required by the skill.)
    • DATA_EXFIL_NETWORK_REQUESTS (Allowed: Bundled helper scripts (scripts/dataset_inspector.py, scripts/hf_benchmarks.py) use urllib.request to query the public Hugging Face Hub API for dataset validation and benchmark lookups — documented workflow steps required by the skill.)

✅ huggingface-paper-publisher

  • Status: Passed
  • Findings: 9
  • Allowed (not blocking): 4
    • BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (Allowed: False positive - same root cause as BEHAVIOR_ENV_VAR_EXFILTRATION
      above. The "crossfile" detection is from paper_manager.py reading
      env vars and triggering its own network helpers within the same file/
      module. All network destinations are huggingface.co or
      export.arxiv.org. Verified at digest
      acd2bf5a7126994e15143bec061fe87a882811f3.
      )
    • TOOL_ABUSE_UNDECLARED_NETWORK (Allowed: The skill uses network access through its bundled paper_manager.py script (as its documented workflow), but does not declare an explicit network-access tool in frontmatter. All network calls target the public Hugging Face Hub API documented in the SKILL.md.)
    • BEHAVIOR_ENV_VAR_EXFILTRATION (Allowed: False positive - matches scripts/paper_manager.py reading HF_TOKEN
      (line 44) and making requests.get() calls to
      https://huggingface.co/papers/{arxiv_id} (lines 69, 98, 179, 215) and
      https://export.arxiv.org/api/query (line 352, no token sent). This
      is the standard, intended HF API auth pattern — token issued by
      huggingface.co is sent back to huggingface.co. Source domain == sink
      domain. Verified at digest acd2bf5a7126994e15143bec061fe87a882811f3.
      )
    • MANIFEST_MISSING_LICENSE (Allowed: huggingface/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ huggingface-papers

  • Status: Passed
  • Findings: 4
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: huggingface/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

❌ huggingface-tool-builder

  • Status: Failed
  • Findings: 7
  • Blocking: 1

Blocking issues:

  • [ATR_HIGH_RISK_TOOL_GATE] (HIGH) Pattern detected: Shell (SKILL.md:10)

Allowlisted (not blocking):

  • TOOL_ABUSE_UNDECLARED_NETWORK (Allowed: The skill uses network access through its bundled reference scripts that call the public Hugging Face Hub API. The frontmatter does not declare a dedicated network-access tool, but the network calls are documented examples bundled for user education, not runtime execution by the skill itself.)
  • MANIFEST_MISSING_LICENSE (Allowed: huggingface/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ huggingface-trackio

  • Status: Passed
  • Findings: 5
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: huggingface/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ huggingface-vision-trainer

  • Status: Passed
  • Findings: 5

✅ transformers-js

  • Status: Passed
  • Findings: 0

Summary: Scanned 12 skill(s), found 1 blocking issue(s).

⚠️ Action Required: Review the blocking findings. Add a justified entry to the skill's security.allowed_issues[] in its spec.yaml if the finding is a false positive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants