cargo-cdk

Fail

Audited by Snyk on Jul 11, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). The docs state that importing any .ts runs registration side-effects and explicitly recommend importing a generated .cargo-ai JS file while also describing CI deploys that use workspace tokens and env secrets — this combination permits arbitrary code execution at import time (RCE/backdoor) and potential exfiltration of secrets when runs happen in CI.

Issues (1)

E006
CRITICAL

Malicious code pattern detected in skill scripts.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 11, 2026, 02:31 AM
Issues
1