threejs-3d-generator

Warn

Audited by Gen Agent Trust Hub on Jul 9, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to run a script named probe_asset_credentials.sh from a directory belonging to a different skill (~/.claude/skills/threejs-game-director/). Since this script is not part of the analyzed package, its full functionality and safety cannot be verified.
  • [CREDENTIALS_UNSAFE]: The instructions direct the agent to source the user's shell profiles (~/.zshrc and ~/.zprofile) to find the TRIPO_API_KEY. Sourcing these files loads the user's entire environment into the agent's execution context, which may expose unrelated and highly sensitive secrets like AWS keys, GitHub tokens, or database credentials.
  • [EXTERNAL_DOWNLOADS]: The included Python script threejs_3d_asset.py downloads 3D models and images from the Tripo API (api.tripo3d.ai) directly to the local project directory.
  • [COMMAND_EXECUTION]: The skill relies on the execution of a Python script that interacts with external APIs and performs file system operations (writing models and JSON metadata) based on remote API responses.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 9, 2026, 10:37 PM
Security Audit — agent-trust-hub — threejs-3d-generator