hz-unity-fbx-import

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires including entire URLs with query parameters and authentication tokens (e.g., ?token=...) verbatim in the FbxUrl parameter and example payloads, which forces the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly requires fetching and ingesting arbitrary HTTP/HTTPS URLs as part of its core workflow (see SKILL.md Step 1 "Remote URL" and Step 4 "Call Unity_ImportExternalModel") and the fallback (FALLBACK_MANUAL_IMPORT.md Step 2) instructs using UnityWebRequest.Get() to download assets, so the agent will consume untrusted third‑party content from public URLs that can materially influence import, materials, and placement actions.