syncfusion-react-scheduler
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to process appointment data (such as subjects and descriptions) from external sources, which presents a surface for indirect prompt injection. \n
- Ingestion points: As described in
references/data-binding.md, the component fetches scheduling data from remote OData and REST services. \n - Boundary markers: The provided implementation patterns do not include delimiters or instructions to ignore potential commands embedded within event fields. \n
- Capability inventory: The component supports CRUD operations (
addEvent,saveEvent,deleteEvent) and file export features (exportToExcel,exportToICalendar) as documented inreferences/advanced-features.md. \n - Sanitization: The instructions do not specify validation or sanitization of the data content received from external services before it is rendered or processed by the agent. \n- [CREDENTIALS_UNSAFE]: The file
references/data-binding.mdcontains a hardcoded Google API key (AIzaSyBgbX_tgmVanBP4yafDPPXxWr70sjbKAXM) within a code example demonstrating integration with public Google Calendar data. \n- [EXTERNAL_DOWNLOADS]: The documentation provides examples of connecting to external data services, including endpoints atservices.syncfusion.com,services.odata.org, andgoogleapis.com. These references are intended for standard component functionality and data binding.
Audit Metadata