threejs-ops
Warn
Audited by Snyk on Jul 4, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime import-map and loader decoder paths that will fetch and execute remote JS/WASM from CDNs — e.g. https://cdn.jsdelivr.net/npm/three@0.185.1/build/three.module.js and https://cdn.jsdelivr.net/npm/three@0.185.1/examples/jsm/, plus decoder/transcoder paths like https://www.gstatic.com/draco/versioned/decoders/1.5.7/ and https://cdn.jsdelivr.net/npm/three@0.185.1/examples/jsm/libs/basis/ — which are fetched/used at runtime (no‑bundler/import-map and loader setup) and thus constitute required external code execution.
Issues (1)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata