cargo

Fail

Audited by Snyk on Jul 15, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The skill explicitly shows including an API token on the command line (cargo-ai login --token ), which encourages embedding secret values verbatim in generated commands and therefore creates an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.90). The GitHub repo looks like a legitimate project, but the direct install script (https://api.getcargo.io/install.sh) is served as a shell script and is recommended to be piped straight to sh in the SKILL, which is a high-risk pattern for arbitrary code execution and a common malware distribution vector.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The SKILL.md includes a runtime installer command that fetches and immediately executes remote code via "curl -fsSL https://api.getcargo.io/install.sh | sh", which directly runs external code during skill setup.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 15, 2026, 07:05 PM
Issues
3