Back to skill

Security audit

Cargo Gtm

Security checks across malware telemetry and agentic risk

Overview

This GTM automation skill is mostly coherent, but it can enrich and move personal sales data across many providers, CRMs, sequencers, Slack/webhooks, and scheduled workflows without enough privacy and external-write guardrails.

Install only if you trust Cargo and the publisher with authenticated GTM operations. Before use, require explicit approval for any contact reveal, phone lookup, visitor de-anonymization, CRM/sequencer push, Slack/webhook post, scheduled play, or signed-output download; also confirm lawful basis, vendor approval, minimization, retention, and suppression/do-not-contact handling for any personal data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs use of external CLI/API operations, downloads signed output URLs, and references local scripts that process data, yet no explicit permissions are declared. That creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate that the skill can access networked services and workspace data using ambient credentials or authenticated connectors.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The file is presented as a 'front door/router' skill, but it also directs direct execution of data retrieval and local processing workflows, including fetching run outputs and running scripts that classify and transform prospect/contact data. This mismatch is dangerous because users and policy systems may grant it broad invocation based on a benign routing description while it actually performs sensitive data access and processing using authenticated workspace context.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The recipe expands from GTM tech-intent lookups into general-purpose scraping (`firecrawl.crawl`/`firecrawl.scrape`) and free-form LLM extraction (`anthropic.instruct`) as fallback behavior. That broadens the operational scope from constrained connector searches to open-ended web collection and interpretation, which increases the risk of scraping unapproved sources, collecting excessive data, or producing unreliable extracted signals that could then drive downstream outreach or CRM actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger language is extremely broad ('any GTM task' involving prospects, leads, accounts, contacts, or campaign activation), so the skill may auto-match many ordinary business requests and steer them into high-impact enrichment, monitoring, or CRM-sync workflows. In context, that broad routing increases the chance of unintended access to third-party providers, personal data processing, and paid or sensitive actions being initiated under a seemingly generic request.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guidance explicitly instructs users to retrieve enriched outputs via signed URLs, and the surrounding skill is focused on prospect/contact enrichment that commonly includes personal data such as emails, phones, LinkedIn URLs, and company intelligence. Omitting any warning or handling guidance for sensitive output increases the risk of inadvertent exposure, insecure sharing, over-retention, or misuse of signed URLs that grant direct access to exported datasets.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly recommends using anonymous website visitor identification (`snitcher.searchSessions`) to identify prospects without any privacy warning, lawful-basis guidance, or constraints on acceptable use. In a sales/prospecting skill, this materially increases the risk of privacy-invasive lead generation and misuse of de-anonymized visitor data, especially when combined with prospect matching and outreach workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to send enriched lead, contact, and personalized outreach data to third-party LLMs, sequencers, and CRMs, but it does not warn that these records may contain personal data, proprietary account intelligence, or sensitive business context. In a GTM automation skill, that omission materially increases the risk of unintended data disclosure, policy violations, and noncompliant processing because users are encouraged to operationalize external transfers at scale.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The playbook explicitly promotes reverse-email lookup and contact enrichment of personal data without any privacy, consent, or permissible-use guardrails. In a lead-generation skill, this increases the risk of misuse for deanonymization, profiling, and outreach based on sensitive personal data, especially because the workflow is framed as a default operational pattern rather than an exception requiring review.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The playbook explicitly promotes prospect enrichment, LinkedIn profile/post collection, and prospect event monitoring using personal identifiers and behavioral signals, but provides no privacy, consent, purpose-limitation, or lawful-use guardrails. In a GTM automation skill, this omission can normalize collection and monitoring of personal data in ways that create compliance, misuse, and surveillance risks at scale.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This playbook explicitly instructs users how to obtain emails and phone numbers tied to LinkedIn profiles, but it provides no privacy, consent, or lawful-use guardrails. In a lead-generation skill whose purpose is campaign activation and prospecting, that omission increases the likelihood of misuse for unsolicited outreach, privacy violations, or noncompliant processing of personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The search workflow discusses using filters and optionally revealing emails and phones, but frames the decision almost entirely in terms of credit cost rather than sensitivity of the personal data being revealed. That makes the skill operationally optimized for harvesting contact data without warning about privacy impact, consent, or restrictions on collecting and exposing personal identifiers at scale.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This playbook operationalizes bulk email verification, people sourcing, and role-account discovery against real-world contacts, but it provides no privacy/compliance guardrails such as lawful-basis checks, consent requirements, jurisdictional restrictions, or limits on outreach use. In a GTM skill whose explicit purpose is prospecting and campaign activation, that omission can normalize collection and processing of personal data in ways that violate internal policy or regulations and increase the risk of misuse at scale.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The playbook instructs users to send one or many email addresses to the external provider `kitt` for verification, but it does not warn that this transfers personal contact data to a third party or advise checking consent, legal basis, or tenant policy first. In a GTM workflow this omission is materially risky because the examples normalize high-volume batch submission, which can lead users to disclose prospect data externally without privacy review or user awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The playbook explicitly promotes using an email address to derive a LinkedIn profile URL, which is a form of identity linkage and personal-data enrichment. In a lead-generation context this can enable profiling or outreach without the subject's knowledge, and the document provides operational guidance without any privacy, consent, or acceptable-use guardrails.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The playbook explicitly promotes reverse-phone identification to determine who a phone number belongs to, but it provides no privacy, consent, or permissible-use warning. In a lead-gen and campaign-activation context, this increases the risk of doxxing, non-consensual identity resolution, and misuse of personal data for outreach or profiling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The playbook includes enrichment examples using personal identifiers such as names, job titles, domains, and LinkedIn URLs without any accompanying privacy, lawful-basis, or data-handling guidance. In a lead-generation skill whose purpose is prospect and contact enrichment, this omission can normalize collection and processing of personal data without reminding operators to verify consent, contractual basis, retention limits, or jurisdictional restrictions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples explicitly process personal identifiers such as email addresses, LinkedIn URLs, names, company affiliation, and potentially phone numbers without any warning about consent, lawful basis, minimization, or acceptable-use constraints. In a GTM enrichment skill, this omission can normalize bulk handling of personal data and increase the likelihood of privacy violations, unauthorized enrichment, or misuse of regulated personal data.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The playbook explicitly enables lookup of personal contact data, including emails, phone numbers, job history, and healthcare-provider records via NPI, but provides no privacy, consent, or permissible-use guardrails. In a lead-generation and campaign-activation skill, that omission increases the risk of misuse, unlawful processing, or collection of sensitive personal data at scale.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The playbook provides ready-to-run batch commands that send personal data such as emails, names, LinkedIn URLs, and company identifiers to an external enrichment provider, but it does not include any privacy warning, consent check, or guidance on lawful data handling. In this skill context, that is materially risky because the skill is explicitly designed for prospecting and large-scale contact enrichment, which increases the chance of bulk transfer of personal data without user awareness or policy review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This playbook instructs users to send email addresses and related diagnostic/profile fields to ZeroBounce, a third-party verification provider, but does not disclose that personal data leaves the platform or require any privacy/compliance check before use. In a GTM skill that operationalizes prospecting and sequencing, this omission can lead to unauthorized sharing of personal data, regulatory noncompliance, and user surprise at the point of action.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This recipe explicitly instructs users to enrich prospect records and even suggests obtaining mobile direct dials, but it provides no warning, gating, or compliance guidance for handling personal data. In a sales-enrichment skill, that omission increases the risk of privacy violations, misuse of contact data, and non-compliant outreach under internal policy or applicable regulations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The recipe operationalizes contact discovery, email finding, and verification for identifiable individuals without an explicit privacy/compliance warning, purpose limitation, or consent/legal-basis checkpoint. In a GTM skill, this increases the chance that users will use the workflow for bulk personal-data collection or outreach in ways that violate privacy policy, platform terms, or regulations such as GDPR/CCPA/CAN-SPAM.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recipe explicitly recommends downstream actions that modify external systems and send company/account data to third parties (HubSpot, Slack, webhook targets) without an explicit confirmation or warning step. In an agentic workflow, this can cause unintended CRM writes, data disclosure, or notifications being sent based on auto-produced rows, especially if the user asked only for analysis or monitoring rather than activation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recipe directs the operator to upload a local CSV of contacts/accounts into the workspace but does not require any explicit consent, sensitivity check, or warning that the file may contain personal or commercially sensitive data. In a GTM skill, those CSVs commonly include emails, phone numbers, CRM exports, and firmographic data, so omitting a notice and handling guidance increases the risk of unintended disclosure or non-compliant processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recipe instructs the agent to send personal/contact identifiers such as professional email, LinkedIn URL, and company domain to an external provider (`waterfall.detectJobChange`) without any explicit privacy notice, consent check, or data-minimization guardrail. In a GTM workflow this may be functionally expected, but the absence of a warning or approval step increases the risk of unauthorized third-party sharing of personal data and potential policy/regulatory noncompliance.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/lib/common.ts:184

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/lib/common.ts:165