meshyai

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This prompt explicitly tells the agent to ask the user for their MESHY_API_KEY and then embed it verbatim in generated shell commands (e.g., MESHY_API_KEY= node ...), which forces the LLM to handle and output secret values directly and creates a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md, rigging-pipeline.md, and api-reference.md) explicitly downloads and ingests models and images from public URLs and third‑party services (e.g., Meshy asset URLs, user-provided image_url values, and fallback searches on Sketchfab/Poly Haven/Poly.pizza), and the agent is expected to load/inspect those assets to decide rigging, animation, and optimization steps—so untrusted external content can materially influence actions.