threejs
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- Prompt Injection (SAFE): No override instructions, safety bypasses, or jailbreak patterns were detected within the skill files.
- Data Exposure & Exfiltration (SAFE): There are no attempts to access sensitive system files or credentials. Network operations are limited to asset loading placeholders and links to official documentation.
- Obfuscation (SAFE): The content is entirely readable markdown and JavaScript code. No Base64, zero-width characters, or homoglyphs are present.
- Unverifiable Dependencies & RCE (SAFE): All library references and imports pertain to the official Three.js package and its standard addons. No remote script execution patterns were found.
- Privilege Escalation (SAFE): The skill does not include any commands for acquiring elevated permissions or modifying system security settings.
- Persistence Mechanisms (SAFE): No mechanisms for establishing persistence or modifying startup scripts were identified.
- Metadata Poisoning (SAFE): The metadata accurately describes the skill's purpose as a Three.js development resource without deceptive instructions.
- Indirect Prompt Injection (SAFE): The skill functions as a static documentation repository; it does not ingest external untrusted data or provide exploitable execution capabilities.
- Time-Delayed / Conditional Attacks (SAFE): No logic was found that gates operations behind specific dates or environmental conditions.
- Dynamic Execution (SAFE): The skill uses standard Three.js APIs and shading languages (GLSL/WGSL/TSL) for graphics processing, with no use of unsafe dynamic execution functions like eval().
Audit Metadata