sap-sac-custom-widget
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: CRITICAL
Full Analysis
- [REMOTE_CODE_EXECUTION]: The provided templates (e.g., templates/data-bound-chart.js) and integration guides (e.g., references/echarts-integration.md) include patterns for dynamically loading third-party JavaScript libraries such as Apache ECharts and Leaflet. These libraries are fetched from well-known and trusted Content Delivery Networks (CDNs) like jsdelivr.net and unpkg.com using the document.createElement('script') method.
- [EXTERNAL_DOWNLOADS]: Documentation within the skill (SKILL.md) provides placeholder examples for hosting custom widget code on external services like GitHub Pages and Cloud Object Storage. These are standard implementation patterns for the SAC platform and use well-known service domains.
- [INDIRECT_PROMPT_INJECTION]: The skill facilitates the creation of components that process external data from SAP Analytics Cloud models, defining a potential ingestion surface for untrusted data.
- Ingestion points: Untrusted data enters the widget via the dataBindings API, as documented in references/script-api-reference.md.
- Boundary markers: Absent in code templates; the skill does not explicitly demonstrate the use of delimiters to separate data from instructions.
- Capability inventory: Widgets executed in the browser context possess capabilities for network requests (fetch) and DOM manipulation.
- Sanitization: Best practice guides (references/best-practices-guide.md) provide helper functions like _sanitizeHTML to mitigate cross-site scripting (XSS) and other data-driven attacks.
Recommendations
- Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata