rodin3d-skill
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The
SKILL.mdfile contains a hardcoded credential. It explicitly instructs users to use the free API key"vibecoding"if they do not have their own. Hardcoding shared secrets or keys is a significant security risk and violates best practices. - [EXTERNAL_DOWNLOADS] (MEDIUM): The
generate_3d_model.pyscript implements adownload_modelfunction that fetches files from URLs provided by the API and writes them to the local file system. While this is the intended functionality (retrieving 3D models), it lacks validation of the source URL and relies on the integrity of the external API response. - [UNVERIFIABLE_CODE] (HIGH): The skill depends on
scripts/api_client.pyfor its core functionality, but the content of this file was not provided for analysis. Automated security scans detected a malicious phishing URL (client.do) associated with the skill, which likely resides within this missing implementation file. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes external text prompts and images which are then sent to a third-party API. The resulting output (URLs and filenames) is used to perform file-write operations. This creates an attack surface where a malicious API response could attempt to influence the agent's behavior or write files to unintended locations, although the current implementation limits this to the specified output directory.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata