xrift-world

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly documents runtime loading of untrusted, public/user-provided content — e.g., asset loading via useXRift()'s baseUrl (CDN-hosted GLB/textures) in SKILL.md and references/code-templates.md, a VideoPlayer with a URL input that can load arbitrary video URLs (references/api-reference.md), and useInstance/useWorld that fetch instance/world info (names, thumbnails) which the app reads and uses to drive navigation/confirmation — meaning third-party content is ingested and can influence navigation and actions.