arcgis-portal-content
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references the ArcGIS SDK and Calcite components from Esri's official CDN (
js.arcgis.com). These are well-known and trusted sources for GIS application development.\n- [PROMPT_INJECTION]: The skill provides patterns for processing metadata from ArcGIS Portal items (like titles and bookmark names), which could contain externally-controlled content. This represents a potential surface for indirect prompt injection.\n - Ingestion points: Data is ingested through
PortalItem.load(),portal.queryItems(), and UI components likearcgis-bookmarksinSKILL.md.\n - Boundary markers: No specific boundary markers or instructions to ignore embedded commands are used in the provided examples.\n
- Capability inventory: The skill allows the agent to perform actions such as
map.save(),map.saveAs(),item.update(), andview.goTo().\n - Sanitization: The examples do not demonstrate input sanitization, notably using direct string interpolation for SQL-like filters (e.g.,
where: "Name = '${bookmarkName}'"). Users should implement appropriate input validation when using these patterns.
Audit Metadata