Skills
skills/meshy-dev/meshy-3d-agent/meshy-3d-printing/Gen Agent Trust Hub

meshy-3d-printing

Pass

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes system commands to detect and launch 3D slicer applications.
  • Evidence: Uses subprocess.run, subprocess.Popen, and os.startfile in SKILL.md to interact with software like OrcaSlicer, Bambu Studio, and PrusaSlicer.
  • [EXTERNAL_DOWNLOADS]: The skill downloads 3D model files from the vendor's infrastructure.
  • Evidence: Uses the requests library to fetch OBJ and 3MF files from assets.meshy.ai as part of the model generation workflow.
  • [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection via the processing of untrusted user data.
  • Ingestion points: User-provided text prompts and image URLs are interpolated into Python scripts in SKILL.md.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the script templates.
  • Capability inventory: The skill has capabilities for network requests (requests), file system writes (open().write()), and command execution (subprocess) across its scripts.
  • Sanitization: No sanitization or validation of the user-provided prompt or URL strings was detected before interpolation.
Audit Metadata
Risk Level
SAFE
Analyzed
May 9, 2026, 08:50 PM