meshy
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Downloads 3D models and assets from the official Meshy content delivery network (
cdn.meshy.ai).- [DATA_EXFILTRATION]: Accesses the local secrets file at~/.config/env/secrets.envto load API credentials. The skill transmits these credentials only to the authenticated Meshy API service.- [COMMAND_EXECUTION]: The documentation provides instructions for post-processing models using external CLI tools likegltf-pipelineand project-specific shell scripts. The skill's Python scripts themselves do not perform autonomous command execution.- [PROMPT_INJECTION]: The skill ingests data from external URLs (images, models) and local JSON manifests for batch processing, representing an indirect prompt injection surface. The risk is minimized by the use of structured parsing and parameter-based API requests. - Ingestion points:
meshy_batch.py(manifest files),meshy_image_to_3d.py(source images),meshy_texture.py(base model URLs). - Boundary markers: None.
- Capability inventory: File system writes (downloading models), Network operations (Meshy API), Local logging of task status.
- Sanitization: Input strings are used as JSON payloads in HTTP requests; manifest files are parsed using the standard
jsonlibrary.
Audit Metadata