Meshy 3D Agent
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent for using the Meshy API, but users should be aware it uses a paid API key, runs generated Python/Bash workflows, and stores local output/history files.
Before installing, make sure you are comfortable giving the agent access to a Meshy API key and with generated prompts/assets being sent to Meshy and stored locally. Use a project-specific working directory, keep .env out of version control, and watch Meshy credit usage.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill authorizes the agent to spend Meshy API credits for requested generation tasks.
The skill requires a Meshy API key and uses it to create and poll tasks on the user's Meshy account, which is expected for this integration.
`MESHY_API_KEY` — API authentication token sent in HTTP `Authorization: Bearer` header only.
Use a dedicated Meshy API key if possible, monitor credit usage, and revoke the key if you no longer use the skill.
The agent will run local commands to contact Meshy and save generated files.
The skill directs the agent to generate and run local Python/Bash workflows. This is central to the API automation purpose, but it is still local code execution.
Write the entire create → poll → download flow as **ONE Python script** and execute in a single Bash call.
Run it from a trusted working directory and review generated scripts if you are handling sensitive files or credentials.
Installing the skill may fetch a package from the Python package ecosystem.
The skill installs the Python requests package without a pinned version. This is normal for a simple API client, but it depends on external package provenance.
[0] uv | package: requests
Install in a controlled environment if you need strict reproducibility, or pin/package-lock dependencies in your own deployment.
Creative prompts or project details may remain on disk after the session.
The skill keeps persistent local project history, which may include prompts, task IDs, metadata, and generated asset references.
History is tracked in `meshy_output/history.json`.
Avoid putting secrets in prompts and delete meshy_output/history.json or project folders if you do not want local history retained.
Terminal output may reveal a small prefix of the API key.
The security manifest says the API key is never logged, while the detection script prints the first eight characters. This is not a full-key leak, but the wording is imprecise.
Never logged ... echo "READY: key=${MESHY_API_KEY:0:8}..."Remove key-prefix printing or update the documentation to say only a masked prefix is displayed.