Skills
skills/playableintelligence/game-creator/add-3d-assets/Gen Agent Trust Hub

add-3d-assets

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: Accesses the sensitive .env file to retrieve the MESHY_API_KEY. Accessing environment files is a sensitive operation as they often contain unrelated project credentials and secrets.
  • [COMMAND_EXECUTION]: Executes shell commands to search for keys, source environment variables, and run local scripts for asset generation.
  • [PROMPT_INJECTION]: Vulnerable to indirect prompt injection as the skill reads and processes untrusted user project files to drive its logic. 1. Ingestion points: Reads package.json, src/core/Constants.js, and entity scripts in src/gameplay/ and src/entities/. 2. Boundary markers: None used when interpolating file content into the agent context. 3. Capability inventory: Writing and modifying project source files and executing shell commands. 4. Sanitization: No sanitization or validation of ingested code content before processing.
  • [EXTERNAL_DOWNLOADS]: Fetches 3D models and assets from well-known services including Meshy AI, Poly Haven, and Sketchfab.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 08:07 PM
Security Audit — agent-trust-hub — add-3d-assets