As the scale of open-source models and datasets continues to expand, the Hugging Face ecosystem forms a complex heterogeneous dependency network centered on model-dataset relationships. Issues such as missing metadata and high dependency concentration make chain-structured risks more likely to accumulate and propagate. To characterize this underlying risk landscape, this study constructs a resource dependency network of open-source AI resources based on a Hugging Face snapshot and analyzes its structural and evolutionary characteristics from the perspectives of global topology and temporal evolution. Furthermore, a “credibility risk” indicator is proposed by integrating metadata completeness and community feedback, enabling continuous risk quantification and ranking of model and dataset nodes. The results show that the dependency network exhibits a pronounced “spike-and-long-tail” structure, in which dependencies are highly concentrated on a small number of hub nodes, while a large proportion of resources remain isolated or semi-isolated within critical data-flow relationships. Meanwhile, the explosive growth of models, combined with the relatively slow expansion of datasets and contributors, strengthens the ecosystem’s path dependence on a limited set of core data sources, thereby giving rise to structural systemic risks. At the node level, the proposed credibility risk indicator demonstrates robustness to parameter perturbations and effectively distinguishes high-risk from low-risk nodes across multiple risk sources, outperforming baseline methods. Risk-coupling analysis and expert blind evaluation further confirm the clustering and propagation effects of high-risk datasets and high-risk models within local structures. Overall, this study provides a reproducible quantitative basis for risk screening and governance in open-source AI ecosystems.