add-3d-assets

SUSPICIOUS. The core behavior broadly matches the stated 3D asset purpose, but the trust model is weaker than it appears: it forwards a Meshy API key into an unverifiable local script, runs local project scripts from an arbitrary target repo, and requires loading additional unseen skills. This is not confirmed malware, but it carries meaningful supply-chain and credential-handling risk beyond a simple asset-integration guide.