antv-l7
Warn
Audited by Snyk on May 12, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill's workflow and examples explicitly instruct fetching and ingesting public/untrusted resources (e.g., references/data/source-geojson.md "From URL 加载 GeoJSON", references/data/source-mvt.md getCustomData and public tile URLs, and references/core/scene-methods.md Scene.addProtocol) and then use that content to drive visualization logic (layer.source(...), layer.setData(...), transforms, event-driven fetches), so arbitrary third‑party data can materially influence the agent's actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The SKILL includes a runtime CDN script that will be fetched and executed in the browser (https://gw.alipayobjects.com/render/p/hitu_npm/@antv/l7/2.23.2/dist/l7.js), which is a required runtime dependency in the provided CDN example and thus represents remote code execution risk.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata