game-3d-assets

SUSPICIOUS: the skill’s overall purpose is coherent, but it expands trust to multiple third-party asset services, reads .env secrets directly, and forwards API keys into local helper scripts whose behavior is not visible here. This looks more like a risky asset-ingestion/integration workflow than malware, with medium-high security risk driven by credential handling, opaque script execution, and mutable external downloads.