add-3d-assets

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks the user for their Meshy API key and shows command examples that embed MESHY_API_KEY= on the command line, which requires the agent to handle and output the secret verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests assets from public third-party sources (Step 4 and fallback in SKILL.md: Meshy AI at https://app.meshy.ai and downloads/searches from Poly Haven / Sketchfab into public/assets/models/ and reads .meta.json), and those external files/metadata are parsed and used to drive model integration and runtime behavior.