hz-unity-fbx-import
Warn
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides detailed instructions for the agent to generate and execute C# code snippets using the
Unity_RunCommandtool to handle file system operations, ZIP extraction, and asset configuration within the Unity Editor. - [EXTERNAL_DOWNLOADS]: The skill is designed to fetch external assets, including FBX models and textures, from remote URLs provided by the user. It includes examples from Meta-owned content delivery networks and GitHub.
- [REMOTE_CODE_EXECUTION]: The fallback import pipeline involves downloading external ZIP and FBX files and then executing code to process them. This pattern of downloading and programmatically processing external data creates a potential vector for exploitation if a malicious source URL is used.
- [PROMPT_INJECTION]: The skill processes untrusted input in the form of URLs and file paths. While it includes validation steps and instructions to ask for clarification, this input surface is vulnerable to indirect prompt injection where instructions could be embedded in metadata or query parameters.
Audit Metadata