worldlabs
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill interfaces with the official World Labs Marble API at
api.worldlabs.aito perform its stated function of 3D environment generation. - [CREDENTIALS_SAFE]: Sensitive information is handled via the
WORLDLABS_API_KEYenvironment variable. The skill provides instructions for the agent to verify the existence of this key in a local.envfile, which is a standard and secure practice for managing secrets in a development environment. - [COMMAND_EXECUTION]: The skill utilizes a local script
scripts/worldlabs-generate.mjsto interact with the API. The documented commands are restricted to passing necessary parameters (prompts, images, and output paths) for environment generation. - [EXTERNAL_DOWNLOADS]: The skill recommends the installation of the
@sparkjsdev/sparkNode.js package, which is the legitimate high-performance renderer for the Gaussian Splat format used by World Labs. - [INDIRECT_PROMPT_INJECTION]: The skill processes user-supplied prompts and images as input for 3D generation. While this represents a data ingestion surface, the risk is minimized as the data is passed to a specialized 3D generation API rather than being used to construct complex executable logic.
Audit Metadata