https://godotengine.org/asset-library/asset/edit/9752<- this has since been approved
You should not be able to see details of a pending asset. Yet you can, by following the link above. I could have found that link through enumeration, since the db uses incrementing numeric ids.
As you can see, I am not logged in, yet able to view this pending asset
A malicious asset could be presented as legitimate since it's accessible on the official asset lib. There's nothing on the page to suggest that this is not approved.
(less likely) A malicious actor finds a pending asset with sensitive info accidentally left in there
https://godotengine.org/asset-library/asset/edit/9752<- this has since been approved You should not be able to see details of a pending asset. Yet you can,by following the link above. I could have found that linkthrough enumeration, since the db uses incrementing numeric ids.As you can see, I am not logged in, yet able to view this pending asset