threejs

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill configures DRACOLoader.setDecoderPath('https://www.gstatic.com/draco/versioned/decoders/1.5.6/'), which at runtime causes the app to fetch and execute remote decoder (JS/WASM) code used to decode Draco-compressed models, so this is a required external runtime dependency that executes remote code.