game-3d-assets

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs using scripts like scripts/find-3d-asset.mjs and curl to fetch models from open/public sites (Sketchfab, poly.pizza, polyhaven, raw GitHub, meshy.ai) and the AssetLoader/verification steps require reading GLB/GLTF contents (clips, bounding box, orientation) which are parsed and used to decide clipMaps, transforms, and runtime behavior, so untrusted third‑party content is fetched and directly influences agent actions.