threejs

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly loads arbitrary external assets via loaders (e.g., references/02-loaders.md loader.load('model.gltf'), references/03-textures.md textureLoader.load('image.jpg'), references/15-specialized-loaders.md loader.load('model.dae'/'image.svg')) and then reads/uses model metadata, object names, animations and UI tooltips (e.g., gltf.animations, object.name, updateTooltip), so it ingests untrusted public/user-provided content as part of its runtime workflow.