game-asset-generator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and ingests open/public third‑party content (e.g., Sketchfab/Poly Haven/Poly.pizza downloads in references/asset-sources.md and World Labs/fal.ai/Meshy API responses in references and scripts like scripts/fal_queue_image_run.py and scripts/meshy-generate.mjs), and the workflow parses those API responses and downloaded assets/metadata to drive generation, fallback, and post-processing decisions—so untrusted, user-provided content is read and can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill configures DRACOLoader to fetch decoder binaries from https://www.gstatic.com/draco/versioned/decoders/1.5.6/ at runtime (dracoLoader.setDecoderPath), which causes remote code (WASM/JS decoders) to be loaded and executed and is relied on for Draco-compressed GLB handling.