threejs-3d-generator
Warn
Audited by Gen Agent Trust Hub on Jul 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to run a script named
probe_asset_credentials.shfrom a directory belonging to a different skill (~/.claude/skills/threejs-game-director/). Since this script is not part of the analyzed package, its full functionality and safety cannot be verified. - [CREDENTIALS_UNSAFE]: The instructions direct the agent to source the user's shell profiles (
~/.zshrcand~/.zprofile) to find theTRIPO_API_KEY. Sourcing these files loads the user's entire environment into the agent's execution context, which may expose unrelated and highly sensitive secrets like AWS keys, GitHub tokens, or database credentials. - [EXTERNAL_DOWNLOADS]: The included Python script
threejs_3d_asset.pydownloads 3D models and images from the Tripo API (api.tripo3d.ai) directly to the local project directory. - [COMMAND_EXECUTION]: The skill relies on the execution of a Python script that interacts with external APIs and performs file system operations (writing models and JSON metadata) based on remote API responses.
Audit Metadata