threejs-loaders

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The examples call dracoLoader.setDecoderPath("https://www.gstatic.com/draco/versioned/decoders/1.5.6/") and KTX2Loader.setTranscoderPath("https://cdn.jsdelivr.net/npm/three@0.160.0/examples/jsm/libs/basis/"), which are runtime-fetched decoder/transcoder binaries (WASM/JS) that will be executed locally to decode assets, so they are external runtime dependencies that execute remote code.