Cargo Connection

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Cargo connector-management skill, with a credential-handling documentation caveat users should treat carefully.

Install only if you intend to manage Cargo connectors and are comfortable granting the Cargo CLI access to your Cargo account and third-party integration credentials. Avoid pasting real API keys directly into command-line examples; prefer OAuth, a protected config file, an interactive prompt, or another secret-safe workflow when available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples show credential material being passed directly on the command line via `--config '{"apiKey":"new-key"}'` without warning that shell history, process listings, audit logs, or terminal recordings may expose those secrets. In a connector-management skill, users are likely to copy these commands verbatim for real production integrations, which makes accidental credential disclosure a practical risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal