Cargo Orchestration

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Cargo CLI skill for operating Cargo workflows, but it can make real production changes and should be used deliberately.

Install only if you intend to let an agent operate your Cargo workspace. Use least-privilege Cargo credentials, verify the active workspace with cargo-ai whoami, review UUIDs and payloads before runs, and require explicit confirmation before deploy, cancel, remove, sync, enrichment, webhook, CRM, or outreach-related commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill manifest frames the capability as orchestration/querying, but the body also documents destructive management actions such as cancelling runs/batches/records. That mismatch can cause an orchestrator or reviewer to underestimate the skill's write/destructive scope, increasing the chance of accidental harmful use without explicit user intent confirmation.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill advertises segment record fetching, but the documentation also includes segment update and removal operations. This is a scope expansion from read-oriented access to mutation/deletion, which can lead to unauthorized or accidental modification of segmentation assets if invoked under the assumption the skill is observational only.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The invocation description is very broad and covers executing actions, workflows, messages, SQL, record fetches, and schema inspection. Such a wide trigger surface can cause the skill to activate for common user requests and then expose powerful operational capabilities, including state-changing commands, without strong narrowing conditions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Cancellation commands are destructive operational controls, but the documentation presents them without an explicit warning to confirm user intent or explain impact on live workflows. This raises the risk of accidental service disruption, aborted jobs, and loss of in-flight processing when an agent follows the examples too readily.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The segment removal command is a destructive delete operation, yet it is documented without strong warning language about its impact. Deleting or altering segmentation assets can disrupt downstream workflows, automations, and business processes, especially where segments are reused across the workspace.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples show connector actions and webhook usage that send record data to third-party services, but they do not warn users that submitted fields may leave the Cargo platform and be processed by external systems. In a skill whose purpose is to orchestrate actions across connectors and notify external endpoints, this omission can lead to unintended disclosure of sensitive business or personal data by users who copy examples verbatim.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The example grants an agent external actions that can enrich data and modify CRM records, but it does not warn that executing the prompt may transmit customer data to third parties or create/update records in external systems. In a skill meant for orchestration and action execution, omission of consent, scope, and side-effect warnings increases the risk of unintended data sharing or unauthorized business changes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This combined example normalizes a workflow that researches a company, enriches data, and updates a CRM in one step without disclosing privacy, authorization, or record-modification consequences. Because the documented CLI supports real-world orchestration, users may run this against production integrations and expose internal or personal data to external providers without appropriate review.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The end-to-end example instructs users to gather a person's role, LinkedIn URL, and email address and to use an email-finder tool, but it provides no privacy or compliance caution. In context, this is more dangerous because it is a turnkey workflow that operationalizes personal-data collection and outreach, which can lead to unauthorized processing of personal data, policy violations, or misuse at scale.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example explicitly demonstrates `segment fetch --enrich --sync`, which can trigger connected enrichment tools and write changes back to the model, but it does not warn the operator that this is not a read-only query. In an agent skill context, examples strongly influence behavior; presenting a mutating command as a routine fetch increases the chance of unintended data modification, unexpected external tool execution, and accidental side effects.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples instruct users to deploy draft releases and create runs/batches that can trigger live workflow changes and external connector actions, but they do not include any warning, confirmation step, or guidance to use a test environment first. In an agent skill context, such operational commands are especially risky because an autonomous or inattentive user may copy them directly, causing unintended production changes or outbound actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal