About HuggingHugh
Nutrition Labels for AI Models
What is this?
HuggingHugh provides Software Bill of Materials (SBOM) reports for the most popular models on HuggingFace Hub. Think of it as nutrition labels for AI models — helping you understand what dependencies, vulnerabilities, and licenses are involved before you integrate a model into your project.
Just like food nutrition labels help you make informed dietary choices, HuggingHugh helps you make informed decisions about the AI models you consume.
What's in a report?
- Trust Score (0-100) — An overall assessment based on security, licensing, and quality factors
- Vulnerability Scan — CVEs found in inferred dependencies (via Grype)
- License Analysis — Model license, commercial use permissions, copyleft risks
- SBOM Components — Full list of inferred dependencies in CycloneDX format
- Security Indicators — SafeTensors usage, verified organization status
Methodology
For each model, we:
- Fetch metadata from the HuggingFace Hub API
- Infer dependencies based on the library (transformers, diffusers, etc.) and model architecture
- Generate an SBOM using Syft
- Scan for vulnerabilities using Grype
- Analyze the license from model card data
- Calculate a trust score based on multiple factors
Note: Dependency inference is not perfect. The actual dependencies may vary based on your specific environment and usage patterns.
Trust Score Factors
| Factor | Weight | Description |
|---|---|---|
| No Critical/High CVEs | 20% | Dependencies free of critical and high severity vulnerabilities |
| Verified Organization | 15% | Published by a known, verified organization (Meta, Google, etc.) |
| SafeTensors Format | 15% | Uses secure safetensors format instead of pickle-based files |
| Clear License | 15% | License is clearly specified and appropriate for use |
| No Pickle Files | 10% | Does not contain pickle files (arbitrary code execution risk) |
| Model Card Quality | 10% | Has comprehensive documentation (README, config, tags) |
| Recent Updates | 10% | Model has been updated within the last 90 days |
| Community Engagement | 5% | Downloads and likes indicate community trust |
Support This Project
HuggingHugh is a free community resource. Running daily scans and hosting costs money. If you find this useful, consider buying me a coffee!
☕ Buy me a coffee