arcgis-portal-content
Warn
Audited by Snyk on Apr 11, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill explicitly loads and queries ArcGIS Portal items and external layer/thumbnail URLs (e.g., Portal/PortalItem usage and portal.queryItems pointing at https://www.arcgis.com, FeatureServer/styleUrl, slide.thumbnail.url) and then reads and applies that content (bookmarks, slides, layers, and view state) as part of its workflow, meaning untrusted, user-published portal content can influence runtime actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime script imports that fetch and execute remote JavaScript (e.g., https://js.arcgis.com/4.34/, https://js.arcgis.com/4.34/map-components/, and https://js.arcgis.com/calcite-components/3.3.3/calcite.esm.js), which are required dependencies for the skill and execute remote code in the page.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata