arcgis-authentication

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This prompt shows and encourages embedding API keys/tokens directly in code (e.g., esriConfig.apiKey = "YOUR_API_KEY", esriId.registerToken({token: "YOUR_TOKEN"})) and logs/prints credentials (console.log("Token:", credential.token)), which requires the LLM to handle or output secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes an HTML example that loads remote executable code at runtime from the ArcGIS CDN (https://js.arcgis.com/4.34/), which the page executes as a required SDK dependency and therefore represents a runtime external dependency that executes remote code.