meshyai
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it processes untrusted user input (API keys and generation prompts). It directs the agent to interpolate the user-provided
MESHY_API_KEYdirectly into a shell command (MESHY_API_KEY=<key> node ...) without guidance on sanitizing the input against command injection. \n - Ingestion points:
MESHY_API_KEY(SKILL.md)\n - Boundary markers: Absent in shell interpolation instructions\n
- Capability inventory: Command execution of local Node.js scripts (SKILL.md)\n
- Sanitization: Absent in prompt instructions\n- [COMMAND_EXECUTION]: The skill performs expected command-line operations using local scripts
meshy-generate.mjsandoptimize-glb.mjsto manage the Meshy AI lifecycle and optimize GLB assets. These are internal project utilities.\n- [EXTERNAL_DOWNLOADS]: The skill downloads generated 3D assets from Meshy AI's official domain (assets.meshy.ai). It also usesnpxto execute the well-known@gltf-transform/clipackage for model optimization. These are recognized as well-known and reputable services.\n- [CREDENTIALS_UNSAFE]: The skill correctly identifies the need for aMESHY_API_KEYand instructs the agent to check the environment or prompt the user, avoiding the use of hardcoded secrets or insecure storage.
Audit Metadata