Skills
skills/openaec-foundation/three.js-claude-skill-package/threejs-syntax-loaders/Snyk

threejs-syntax-loaders

Warn

Audited by Snyk on Apr 1, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The SKILL.md examples and workflow show Three.js loaders (GLTFLoader, TextureLoader, RGBELoader, etc.) fetching and parsing assets from arbitrary URLs (e.g., 'https://other-domain.com/texture.jpg', 'model.glb', 'https://www.gstatic.com/...') and then reading gltf.scene, animations, cameras and userData as part of runtime logic, which clearly ingests untrusted third‑party content that can influence application behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill calls dracoLoader.setDecoderPath('https://www.gstatic.com/draco/versioned/decoders/1.5.6/'), which at runtime causes the loader to fetch and execute remote WASM/JS decoder files (remote code) and is presented as a required dependency for Draco-compressed models.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 1, 2026, 08:14 PM
Issues
2