Skills
skills/saschabrunnerch/arcgis-maps-sdk-js-ai-context/arcgis-utility-networks/Snyk

arcgis-utility-networks

Warn

Audited by Snyk on Feb 22, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md shows it loads WebMap items from an ArcGIS portal (e.g., esriConfig.portalUrl = "https://www.arcgis.com" and portalItem id / WebMap.load() examples) and then reads utilityNetwork content from those maps, which can be arbitrary public/user-generated ArcGIS Online content that can influence tracing/widgets and therefore agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.70). The skill includes a runtime script import that fetches and executes remote code from https://js.arcgis.com/4.34/ (and configures portalUrl to https://www.arcgis.com), which is a required external dependency that runs code at runtime.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 22, 2026, 08:01 PM