game-3d-assets

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks the user for API keys/tokens and shows examples that embed them verbatim in shell commands and scripts (e.g., MESHY_API_KEY=, SKETCHFAB_TOKEN=), so the LLM would need to handle and output secret values directly, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly fetches models from public third-party sources (meshy.ai via meshy-generate.mjs, Sketchfab and Poly.pizza via scripts/find-3d-asset.mjs and example curl downloads from raw.githubusercontent.com), and the workflow requires the agent to read model data/metadata (clips, bounding boxes, facing, etc.) and use those values to decide animation mappings and integration behavior, so untrusted user-generated content can materially influence actions.