brin
brin

@huggingface/hub

npm

Is @huggingface/hub safe to use?

Based on the latest brin safety scan, no vulnerabilities or threats were detected for @huggingface/hub v2.9.0. Trust score: 75/100. No known CVE vulnerabilities, no detected threat patterns, and no suspicious capabilities identified. This is an automated, point-in-time assessment.

Install (safety-checked)

@huggingface/hub Passed Security Checks

No security concerns detected

clean
CVEs

0

Threats

0

Install Scripts

0

No Concerns Detected

No security concerns detected in the latest brin assessment. This is an automated, point-in-time evaluation — security posture may change.

This is an automated, point-in-time assessment and may contain errors. Findings are risk indicators, not confirmed threats. Security posture may change over time. Maintainers can dispute findings via the brin review process.

@huggingface/hub Capabilities & Permissions

What @huggingface/hub can access when installed. Review these capabilities before using with AI agents like Cursor, Claude Code, or Codex.

Network Access

This package makes network requests.

aschen.techburtleburtle.netcas.cocdn-avatars.huggingface.cocdn-thumbnails.huggingface.codeveloper.mozilla.orgdiscuss.huggingface.cofetch.cofoor.bargit-lfs.github.com+10 more
Protocols: http, https

Filesystem Access

Reads and writes to the filesystem.

/etc/ (r).env (r).env (r).env (r)package.json (r)package.json (r).env (w).env (w)+12 more

Process Spawning

This package can spawn child processes.

Environment Variables

Accesses the following environment variables.

HF_ENDPOINTHF_HOMEHF_HUB_CACHEHF_TOKENHUGGINGFACE_HUB_CACHEXDG_CACHE_HOME

AGENTS.md for @huggingface/hub

Good instructions lead to good results. brin adds @huggingface/hub documentation to your AGENTS.md so your agent knows how to use it properly—improving both safety and performance.

brin init

Vercel's research: 100% accuracy with AGENTS.md vs 53% without →

@huggingface/hub Documentation & Source Code

For the full @huggingface/hub README, API documentation, and source code, visit the official package registry.

View on npmView SourceHomepage

Frequently asked questions about @huggingface/hub safety

Weekly Downloads

102.0K

Version

2.9.0

License

MIT

Last Scanned

Feb 11, 2026

Trust Score

75/100·Legitimacy signals, not safety

Capabilities

Network

Connects to: aschen.tech, burtleburtle.net, cas.co...

Filesystem

Reads & Writes files

Process

Spawns child processes

Environment

Accesses: HF_ENDPOINT, HF_HOME, HF_HUB_CACHE...

Is @huggingface/hub Safe? | npm Safety Scan - brin