pixijs-assets

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly fetches and interprets arbitrary external content via Assets.load and Assets.init (e.g., loading manifest URLs like await Assets.init({ manifest: "assets/manifest.json" }) and arbitrary CDN/API URLs such as Assets.load({ src: "https://cdn.example.com/...", parser: "json" })), so it ingests untrusted third-party JSON, images, SVGs, videos, etc., which can materially change loader behavior and subsequent actions.