meshyai
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands (
node,grep,test) to manage the Meshy AI generation workflow and verify the presence of API credentials in the local.envfile.\n- [EXTERNAL_DOWNLOADS]: The skill downloads and executes the@gltf-transform/clipackage vianpxfrom the npm registry to optimize generated 3D models. As this involves a well-known service, it is documented here for visibility into the skill's network dependencies.\n- [PROMPT_INJECTION]: The skill provides an indirect prompt injection surface by interpolating user-provided text prompts and image file paths directly into shell command arguments.\n - Ingestion points: User input for generation prompts and image paths in
SKILL.md.\n - Boundary markers: No protective delimiters or instructions to ignore embedded commands are present around the interpolated variables.\n
- Capability inventory: Shell command execution via
nodeacross multiple generation and animation scripts.\n - Sanitization: No sanitization or input validation is performed on user-supplied strings before they are passed to the shell.
Audit Metadata