Meshy Openclaw

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly scoped Meshy API helper that sends user-provided prompts or images to Meshy to generate 3D assets, with no evidence of hidden or unrelated behavior.

Install only if you are comfortable sending Meshy your generation prompts, image URLs, and any local images you choose to convert to 3D. Use a project-specific .env for MESHY_API_KEY, keep .env out of version control, and review the cost confirmation before letting the skill spend API credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill discloses in the manifest that prompts and image URLs are sent to Meshy's API, but it does not clearly warn users at interaction time that local images or generation prompts they provide will leave the machine. In a skill that accepts user-supplied files and creative prompts, missing just-in-time disclosure can lead to unintended transmission of sensitive or proprietary content to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal