AR XR Builder
PassAudited by ClawScan on May 1, 2026.
Overview
This documentation-only skill is coherent for building Kivicube AR/XR pages, with disclosed third-party script and browser permission considerations but no suspicious behavior in the artifacts.
This skill appears safe to install as a documentation helper. Before using its generated integration code in production, confirm that you trust the Kivicube-hosted script, keep the page on HTTPS, request only necessary browser permissions, and review how any private media assets or camera/photo outputs will be handled.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Pages built from this guidance may execute Kivicube-hosted JavaScript in the user's site.
The integration depends on a remote third-party script from Kivicube. This is expected for the plugin-based AR/XR purpose, but users should trust that provider and monitor changes to the hosted script.
<script src="https://www.kivicube.com/lib/iframe-plugin.js"></script>
Use the official Kivicube domain intentionally, review the provider’s documentation and security posture, and apply normal web supply-chain controls such as CSP and change monitoring.
End users of pages built with this guidance may be prompted for device permissions, and the embedded AR runtime may receive access allowed by the browser.
The example iframe grants sensitive browser capabilities, including camera, microphone, and motion sensors. These are disclosed and mostly expected for AR/XR use, but they are still high-trust permissions.
allow="xr-spatial-tracking;camera;microphone;autoplay;fullscreen;gyroscope;accelerometer"
Request only the permissions needed for the experience, clearly explain permission prompts to end users, and test behavior across target browsers and WebViews.
Data used in the AR experience, such as scene events, media assets, and camera/photo outputs, may cross the host/Kivicube iframe boundary as part of normal operation.
The host page communicates with a third-party iframe runtime. This cross-frame provider boundary is clearly described and purpose-aligned, but assets, events, and photo/camera flows should be treated as external integration data flows.
Kivicube owns the inner experience and exposes a public runtime bridge through `iframe-plugin.js`.
Avoid passing private assets unless intended, configure CORS deliberately, and review Kivicube’s privacy and data-handling expectations before launch.