Skills
skills/chongdashu/threejs-forest-census/threejs-builder/Snyk

threejs-builder

Warn

Audited by Snyk on Feb 16, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's examples and loaders explicitly load external resources (e.g., import modules from https://unpkg.com and multiple GLTF loader calls like loader.load('path/to/model.gltf' / 'models/character.gltf')), which means the runtime app consumes arbitrary public CDN files and user-provided/third-party GLTF URLs that could contain untrusted, user-generated content the agent/code will read and interpret.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime ES module imports from CDNs (e.g. https://unpkg.com/three@0.160.0/build/three.module.js and other https://unpkg.com/... links) which fetch and execute remote JavaScript as a required dependency for the skill, so the fetched content runs code in the user's environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 16, 2026, 02:28 AM