meshyai

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks the user to paste their MESHY_API_KEY into the conversation and shows command examples embedding MESHY_API_KEY=, which requires the agent to receive and may output secret values verbatim (exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests public third‑party content as part of its required workflow — e.g., image URLs accepted by scripts/meshy-generate.mjs and the documented fallback flow using find-3d-asset.mjs to search/download models from public sites (Sketchfab, Poly Haven, Poly.pizza) listed in SKILL.md — which are untrusted/user-generated sources and are downloaded/processed and thus can materially influence subsequent tool actions (model selection, rigging, downloads, optimizations).