Skills
skills/getcargohq/cargo-skills/cargo-orchestration/Gen Agent Trust Hub

cargo-orchestration

Pass

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the @cargo-ai/cli command-line tool to perform platform operations such as triggering workflows, querying data, and managing AI agents.
  • [EXTERNAL_DOWNLOADS]: The instructions involve installing the @cargo-ai/cli package from the npm registry and interacting with the vendor's cloud infrastructure at getcargo.io.
  • [REMOTE_CODE_EXECUTION]: The Cargo platform allows for the execution of custom Python and JavaScript snippets within workflow nodes to handle data transformations and logic. The skill provides examples of how to define and run these nodes.
  • [PROMPT_INJECTION]: The skill utilizes template expressions to interpolate data from external sources (like CRM records or data models) into AI prompts. This is an intended feature for data-driven AI tasks but represents a surface for indirect prompt injection if the source data is untrusted.
  • [DATA_EXFILTRATION]: The skill is designed to move data between the user's environment, the Cargo platform, and connected third-party services (e.g., Salesforce, HubSpot) as part of automated business processes.
Audit Metadata
Risk Level
SAFE
Analyzed
May 13, 2026, 12:23 PM