Back to skill

Security audit

Cargo Content

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Cargo CLI guide for uploading, organizing, syncing, and removing knowledge files and libraries, with no evidence of hidden or unrelated behavior.

Install this only if you intend to manage Cargo knowledge content. Be careful with OAuth/API tokens and with uploads, because files may contain sensitive data and may be indexed for retrieval. Double-check file and library UUIDs before running remove commands, since the docs do not clearly state whether deletion is reversible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This markdown file includes a direct `cargo-ai content file remove <file-uuid>` example, but provides no user-facing warning that the action deletes a file or may be irreversible. Under the markdown criteria for missing user warnings, destructive operations that could affect user data should be accompanied by a caution or note.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation shows `cargo-ai content library remove <library-uuid>` as part of update/remove examples without any warning that removing a library may affect agent resources or access to grouped files. Markdown skill documentation should disclose destructive behaviors that may impact user data or system integrity.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.