meshy-3d-printing
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using Python's
subprocessmodule to detect and launch 3D slicer applications (such as OrcaSlicer, Bambu Studio, and PrusaSlicer) on the user's system. It uses platform-specific commands likeopenon macOS and direct executable calls on Windows and Linux to pass generated 3D model files to the software. - [EXTERNAL_DOWNLOADS]: Downloads 3D model assets in various formats (OBJ, 3MF, GLB) from the vendor's asset hosting service at
assets.meshy.aiinto local project directories. - [DATA_EXFILTRATION]: Transmits user-provided prompts, settings, and image URLs to the vendor's API at
api.meshy.aifor processing and model generation. - [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface as it processes external data.
- Ingestion points: User-provided prompts and downloaded 3D model files (OBJ) from the remote API.
- Boundary markers: Absent; user input and downloaded content are used without explicit delimiters.
- Capability inventory: Subprocess execution for launching slicers and local file system write access for model post-processing.
- Sanitization: No evidence of input sanitization or validation for user-provided prompts or downloaded model content before they are processed by the script's logic.
Audit Metadata