meshy

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Downloads 3D models and assets from the official Meshy content delivery network (cdn.meshy.ai).- [DATA_EXFILTRATION]: Accesses the local secrets file at ~/.config/env/secrets.env to load API credentials. The skill transmits these credentials only to the authenticated Meshy API service.- [COMMAND_EXECUTION]: The documentation provides instructions for post-processing models using external CLI tools like gltf-pipeline and project-specific shell scripts. The skill's Python scripts themselves do not perform autonomous command execution.- [PROMPT_INJECTION]: The skill ingests data from external URLs (images, models) and local JSON manifests for batch processing, representing an indirect prompt injection surface. The risk is minimized by the use of structured parsing and parameter-based API requests.
  • Ingestion points: meshy_batch.py (manifest files), meshy_image_to_3d.py (source images), meshy_texture.py (base model URLs).
  • Boundary markers: None.
  • Capability inventory: File system writes (downloading models), Network operations (Meshy API), Local logging of task status.
  • Sanitization: Input strings are used as JSON payloads in HTTP requests; manifest files are parsed using the standard json library.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 04:39 PM
Security Audit — agent-trust-hub — meshy