add-3d-assets

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to prompt the user to paste their MESHY_API_KEY into the conversation and shows commands with MESHY_API_KEY= (inline), which requires the LLM to receive and potentially emit the secret verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Step 4 "Generate / Download" explicitly instructs using Meshy AI and public asset sources (e.g., polyhaven and Sketchfab via scripts like scripts/find-3d-asset.mjs) to fetch GLB models and their .meta.json metadata, which the workflow loads/preloads and uses (e.g., to generate ATTRIBUTION.md and configure MODEL_CONFIG), so untrusted third‑party content is ingested and can materially influence behavior.