meshy-3d-generation
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses Bash and Python to automate the 3D generation process. It includes configuration steps that modify local shell profile files (e.g., ~/.bashrc, ~/.zshrc) to persist the MESHY_API_KEY environment variable.
- [DATA_EXFILTRATION]: During environment setup, the skill reads shell configuration files to automatically discover an existing MESHY_API_KEY. While these are sensitive files, the access is purpose-specific and the discovered key is only sent to the vendor's API.
- [EXTERNAL_DOWNLOADS]: The skill downloads 3D model files (GLB, FBX, OBJ) and thumbnail images from the Meshy AI API and its official asset domain (assets.meshy.ai). These downloads are authenticated and represent the functional output of the skill.
- [PROMPT_INJECTION]: The skill processes user-provided natural language prompts to drive 3D generation tasks.
- Ingestion points: User input provided in the prompt variable and task metadata returned from api.meshy.ai.
- Boundary markers: Missing explicit delimiters or instructions to ignore embedded commands within the Python script templates.
- Capability inventory: Subprocess execution via the Bash tool; file system write access for saving models, thumbnails, and history metadata.
- Sanitization: The user prompt is slugified using a regular expression (re.sub(r'[^a-z0-9]+', '-', ...)) before being used in file system paths.
Audit Metadata