preview-threejs

No direct evidence of built-in malware (e.g., credential theft, exfiltration, crypto-mining) exists in this snippet alone. However, the module contains a high-impact, supply-chain-like risk: it dynamically loads and executes additional JavaScript from a DOM-derived `userCodeSrc` without visible validation or sandboxing. It also uses `innerHTML` for UI construction and inserts `error.message` via `innerHTML`, which can enable DOM XSS depending on helper implementations and error content. This file should only be used with strict control over `threejs-user-code-src` (allowlist + integrity) and should render dynamic text with text-safe APIs instead of `innerHTML` for error messages.