earth2studio-data-fetch
Warn
Audited by Snyk on Jun 18, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The required runtime workflow fetches “live docs and lexicon” from GitHub and then uses those readable pages’ contents to guide script generation, so outsider-authored free text from public web content is ingested via the doc/lexicon URLs.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill explicitly requires fetching live docs and lexicon files at runtime (e.g. https://github.com/NVIDIA/earth2studio/blob/main/earth2studio/lexicon/.py and https://nvidia.github.io/earth2studio/modules/datasources_analysis.html), and those fetched files are used to verify variables and determine which data source and code the agent generates, so external content directly controls the agent's prompts/behavior.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata