canvas-data-fetching
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (LOW): The skill references external Node.js packages 'drupal-canvas' and 'drupal-jsonapi-params' which are not from trusted organizations. While these are common utilities for the stated purpose, they represent a dependency on external, untrusted sources.
- [Indirect Prompt Injection] (LOW): The skill handles data from external Drupal APIs which creates a vulnerability surface for indirect prompt injection. * Ingestion points: Data is fetched from JSON:API endpoints using JsonApiClient.getCollection. * Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the provided templates. * Capability inventory: The skill performs UI rendering of fetched data; no high-risk capabilities like file system modification or process execution are involved. * Sanitization: The patterns rely on standard React JSX escaping, but do not specify explicit sanitization or validation for content fetched from the remote API.
Audit Metadata