Back to skill

Security audit

Cargo Workspace Management

Security checks across malware telemetry and agentic risk

Overview

This skill is mainly for Cargo workspace administration, but it also recommends persistent Claude session hooks that read transcripts and log summaries, plus an unverified pipe-to-shell installer.

Review this carefully before installing. Use it only with a Cargo workspace/account where you are comfortable granting administrative CLI authority, avoid uploading sensitive files unless necessary, do not create broad tokens casually, and decline or disable the Claude session hooks unless you explicitly want session titles, summaries, and transcript-derived activity to be recorded. Prefer a reviewed, pinned, or package-managed installer path instead of piping a remote script directly into a shell.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill instructs agents to record sessions via `workspaceManagement session upsert`, but the manifest description does not disclose that the skill can log session metadata and summaries to a remote workspace system. This weakens informed consent and can cause operators to invoke the skill for routine workspace administration without realizing it also performs activity logging.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill supports `file upload` and `list-columns`, but the manifest description omits this capability. Because file upload can transmit potentially sensitive workspace data, failing to declare it up front increases the risk of unintended data exposure through an apparently narrower administrative skill.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Session logging is presented as part of this workspace-management skill, but it is only loosely connected to the stated purpose and encourages persistent recording of agent session identifiers, titles, and summaries. In context, that expands the skill from admin operations into telemetry collection, creating privacy and governance risk if users did not intend to store interaction metadata.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The recommended hooks automatically read Claude session transcripts and pass derived content to external tools, including `claude -p`, which can expose sensitive prompt, user, or workspace data beyond the declared workspace-management purpose. Because this is presented as a recommended default and installed into persistent hooks, it increases the risk of silent data collection and onward transmission whenever sessions run.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The session upsert and report guidance encourage transmitting session/task details, summaries, commands tried, errors, and related identifiers, yet there is no explicit privacy warning or redaction requirement beyond one example. This can lead agents or users to send sensitive operational data, personal data, or confidential prompts into workspace systems without adequate notice.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation recommends `curl ... | sh`, which executes remotely fetched code immediately without integrity verification, pinning, or review. If the endpoint, transport, or upstream distribution is compromised, users can run arbitrary shell commands on their machine under their current privileges.

External Script Fetching

High
Category
Supply Chain
Content
- `--finished` stamps `finished_at = now`. Use `--finished-at <iso>` for an explicit timestamp instead.
- Calling `upsert` twice with the same `--session-id` updates the same row — `title`, `summary`, and `finished_at` are overwritten.

Returns the upserted session as JSON. The Cargo installer (`curl -fsSL https://api.getcargo.io/install.sh | sh`) wires SessionStart + Stop + SessionEnd hooks that call this command automatically: SessionStart writes a placeholder, the per-turn Stop hook checkpoints the row (no `--finished`), and SessionEnd writes the transcript-driven AI summary with `--finished` — see [`references/examples/sessions.md`](references/examples/sessions.md).

## Workspace files
Confidence
97% confidence
Finding
curl -fsSL https://api.getcargo.io/install.sh | sh

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.