cargo-content
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
@cargo-ai/clipackage from npm. This is the official command-line interface provided by the vendor (getcargohq) and is necessary for the skill to function. - [COMMAND_EXECUTION]: The skill utilizes the
cargo-aiCLI to perform operations such as listing, uploading, and removing files. These commands are executed to manage workspace knowledge and are not used for malicious purposes. - [DATA_EXFILTRATION]: The skill includes functionality to upload files (PDFs, CSVs, text) to the Cargo platform via
cargo-ai content file upload. This is a core feature intended for building knowledge libraries and does not appear to target sensitive system files or credentials. - [INDIRECT_PROMPT_INJECTION]: The skill manages external data (files) that are used to ground agent responses. While this presents a potential surface for indirect prompt injection from malicious content within those files, it is a standard part of RAG functionality.
- Ingestion points:
cargo-ai content file upload --file-path <path> - Boundary markers: None specified in the instructions.
- Capability inventory: None; the skill manages the storage of data rather than providing execution capabilities in this context.
- Sanitization: None specified; the skill assumes the user is uploading trusted knowledge base content.
Audit Metadata