caravo
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
npxutility to execute the@caravo/clitool for marketplace operations, including tool execution and wallet management. - [EXTERNAL_DOWNLOADS]: The skill dynamically downloads the
@caravo/clipackage from the npm registry and suggests manual installation of the skill definition viacurlfrom the vendor's domain. - [DATA_EXFILTRATION]: The CLI includes a feature that auto-converts local file paths (using
~/orfile://protocols) into data URIs and uploads them to the vendor's CDN when provided as tool inputs. While intended for file-processing tools, this creates an exfiltration surface if an agent is manipulated into selecting sensitive files. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to ingest and follow commands or display text (like greetings and setup hints) provided by the remote Caravo API.
- Ingestion points: Data returned from the Caravo API via the
npx @caravo/cli startandexeccommands. - Boundary markers: There are no explicit delimiters or safety instructions provided to the agent to treat API responses as untrusted data.
- Capability inventory: The agent has the capability to execute shell commands (
npx) and read local files to pass to the CLI. - Sanitization: No sanitization or validation of the remote API content is performed before the agent processes it.
Audit Metadata