arcgis-tables-forms
Warn
Audited by Snyk on Apr 17, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). This skill instantiates FeatureLayer objects from public URLs and loads ArcGIS CDN scripts (e.g., the Complete Example creates a FeatureLayer with url "https://services3.arcgis.com/.../FeatureServer/0" and the page loads "https://js.arcgis.com/5.0/"), meaning it ingests untrusted public web content (layer data and form/text elements) that the component reads and that can affect UI behavior and editing actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill includes required runtime script imports that execute remote code from the ArcGIS CDN (e.g., https://js.arcgis.com/5.0/ and https://js.arcgis.com/5.0/map-components/), so external content fetched at runtime will execute code in the skill environment.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata