r3f-loaders

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill explicitly loads and processes assets from URLs (e.g., useGLTF('/model.glb'), useLoader/useTexture/useVideoTexture with URL paths and external decoder paths like 'https://www.gstatic.com/...') and then reads/uses the returned GLTF scene, nodes, materials and loader progress item at runtime, which means it ingests and interprets content from potentially untrusted third‑party sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill sets Draco decoder paths that are fetched at runtime and execute decoder code (WASM/JS) to decode Draco-compressed models — e.g. https://www.gstatic.com/draco/versioned/decoders/1.5.6/ (also https://www.gstatic.com/draco/v1/decoders/) — which the skill relies on for Draco-compressed assets.