meshy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill accepts and ingests arbitrary external URLs (e.g., meshy_image_to_3d.py's resolve_image accepts http(s) image URLs and meshy_texture.py accepts arbitrary model_url values) and the runtime client downloads/uses those remote resources (see MeshyClient.create_image_to_3d / create_text_to_texture and download_model), so untrusted third‑party content from the open web is fetched and used in the generation workflow.