skills/saschabrunnerch/arcgis-maps-sdk-js-ai-context/arcgis-widgets-advanced/Snyk

arcgis-widgets-advanced

Warn

Audited by Snyk on Feb 28, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The skill explicitly loads and uses external web map and layer URLs (e.g., BuildingSceneLayer pointing to tiles.arcgis.com, OrientedImageryLayer to sampleserver6.arcgisonline.com, and FloorFilter using a user-specified web map item-id) so untrusted third-party content is fetched and interpreted at runtime and can materially change widget behavior like filtering and rendering.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.70). The skill examples load and execute remote JavaScript at runtime from the ArcGIS CDN (e.g., https://js.arcgis.com/4.34/ and https://js.arcgis.com/calcite-components/3.3.3/calcite.esm.js), which runs external code and is presented as a required dependency for the widgets.

Audit Metadata

Risk Level

MEDIUM

Analyzed

Feb 28, 2026, 11:58 AM