Meshy Openclaw
Analysis
The skill appears purpose-aligned for Meshy 3D generation, with expected API-key use, local script execution, and local output/history files to review before use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Write the entire create → poll → download flow as **ONE Python script** and execute in a single Bash call. Use `python3 -u script.py` for unbuffered output.
The skill intentionally directs the agent to write and execute local Python scripts through Bash; this is central to the API workflow, but users should understand that local commands will run.
`Never logged` ... `echo "READY: key=${MESHY_API_KEY:0:8}..."`The security manifest says the key is never logged, but the detection script prints a masked prefix of the key to the session output.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
`MESHY_API_KEY` — API authentication token sent in HTTP `Authorization: Bearer` header only. Never logged, never written to any file except `.env` in the current working directory when explicitly requested by the user.
The skill requires a Meshy API credential and may optionally store it locally; this is expected for the Meshy integration, but it gives the skill authority to act on the user's Meshy account.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
History is tracked in `meshy_output/history.json`.
The skill records generated project history locally; this is disclosed and purpose-aligned, but prompts and asset metadata may persist after the session.