asset-pipeline-3d

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime loader calls setTranscoderPath/setDecoderPath to fetch and execute decoder/transcoder code from external hosts (e.g. https://cdn.jsdelivr.net/npm/three@0.171.0/examples/jsm/libs/basis/ and https://www.gstatic.com/draco/versioned/decoders/1.5.7/), which are fetched at runtime and required to decode compressed textures/geometry—so they execute remote code and control runtime behavior.