syncfusion-blazor-maps
Fail
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: A hardcoded Google Maps API key (
AIzaSyDOkaKwIy4-B-5lW3j7H7xUV8k1JnPXpCU) was found in the implementation examples inreferences/map-providers.md. - [EXTERNAL_DOWNLOADS]: The skill fetches map tiles from the OpenStreetMap tile server (
tile.openstreetmap.org) and retrieves geographic datasets (GeoJSON) from Syncfusion's official CDN (cdn.syncfusion.com). These are recognized as legitimate vendor and well-known service resources. - [REMOTE_CODE_EXECUTION]: The skill documentation instructs users to install and integrate the
Syncfusion.BlazorNuGet package into their applications. - [DATA_EXFILTRATION]: The skill supports exporting map visualizations to external file formats including PNG, SVG, and PDF, as well as initiating system print operations.
- [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection by allowing the rendering of custom HTML content in map annotations and tooltips, which could be exploited if the underlying data source contains malicious instructions.
- Ingestion points: Untrusted geographic data enters the agent context through
DataSource,ShapeDataSource, andUrlTemplateproperties across multiple reference files. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are included in the prompt interpolation examples.
- Capability inventory: The skill possesses the capability to export files, handle user interaction events, and persist state to browser local storage.
- Sanitization: The documentation does not describe or implement sanitization or validation of external content before it is rendered as HTML in annotations or tooltips.
Recommendations
- AI detected serious security threats
Audit Metadata