Back to skill

Security audit

Meshy 3D Agent

Security checks across malware telemetry and agentic risk

Overview

The Meshy skill is mostly purpose-aligned, but it needs Review because it under-discloses local slicer/app probing and prints part of the API key while handling paid API actions and local app launching.

Install only if you intend to use Meshy with your own API key and are comfortable sending prompts, image URLs, or chosen local image data to Meshy and spending credits after confirmation. Treat console logs as sensitive because they may include an API key prefix, and require explicit approval before letting the skill detect or open local slicer applications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (35)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill contains code to discover locally installed slicers and launch desktop applications, expanding its behavior from API interaction into host reconnaissance and process execution. Even if intended for printing workflows, this exceeds least-privilege and creates unnecessary local capability that could be abused if the skill is triggered in the wrong context.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The security manifest claims no access outside project-local paths, but later code scans system application directories and environment-derived install paths to find slicers. This mismatch is dangerous because it hides broader host inspection behavior from reviewers and users, undermining trust and consent around local access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The reference file documents capabilities well beyond the skill's declared scope, including image generation, Creative Lab product workflows, enterprise showcase access, and balance retrieval. In an agent setting, this scope drift can cause the model to invoke higher-cost or less-expected operations that users and platform reviewers did not intend, weakening least-privilege and increasing the chance of unauthorized or surprising actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description is broad enough that it may activate for general 3D-related prompts, increasing the chance that credential handling, network access, or local file operations occur when the user did not intend to invoke this capability. Overbroad activation increases exposure by widening the set of contexts in which sensitive actions can be proposed or taken.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The printing trigger list includes common words like 'print', 'slice', and product terms that can appear in unrelated conversations, making accidental activation more likely. In this skill, accidental activation matters because the printing workflow includes local slicer detection, file manipulation, and external API usage.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The example performs an automatic download from a remote URL and writes the resulting file directly to local disk without any warning, confirmation, or path-safety guidance. In an agent workflow, that normalizes silent filesystem writes and could lead to unapproved persistence of large or untrusted artifacts.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This example again downloads a remote model artifact and writes it to disk with no warning about local persistence. Repeated patterns like this make it more likely an agent will silently create files as a default behavior, which is risky in sandboxed or sensitive environments.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The Image-to-3D sample writes a downloaded remote asset to disk without an explicit warning or consent step. Because the skill is designed to automate content generation pipelines, this can translate into silent artifact storage and handling of untrusted remote content.

Ssd 3

Medium
Confidence
95% confidence
Finding
The API key detection step echoes the first characters of the secret in terminal output. Partial credential disclosure is still sensitive metadata that can aid correlation, debugging leakage, screenshot exfiltration, or targeted secret hunting across logs and transcripts.

Ssd 3

Medium
Confidence
97% confidence
Finding
The reusable script explicitly logs a partial API key during normal execution, causing recurring credential leakage into console logs and agent transcripts. Repeated exposure raises the chance of accidental disclosure through saved outputs, monitoring systems, or user-shared logs.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
# --- Secure API key loading ---
def load_api_key():
    """Load MESHY_API_KEY from environment, then .env in cwd only."""
    key = os.environ.get("MESHY_API_KEY", "").strip()
    if key:
        return key
    env_path = os.path.join(os.getcwd(), ".env")
Confidence
70% confidence
Finding
os.environ.get("MESHY_API_KEY

Credential Access

High
Category
Privilege Escalation
Content
echo "ENV_VAR: NOT_FOUND"
fi

# 2. Check .env in current working directory only
if [ -f ".env" ] && grep -q "MESHY_API_KEY" ".env" 2>/dev/null; then
  echo "DOTENV(.env): FOUND"
  export MESHY_API_KEY=$(grep "^MESHY_API_KEY=" ".env" | head -1 | cut -d'=' -f2- | tr -d '"'"'" )
Confidence
60% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
fi

# 2. Check .env in current working directory only
if [ -f ".env" ] && grep -q "MESHY_API_KEY" ".env" 2>/dev/null; then
  echo "DOTENV(.env): FOUND"
  export MESHY_API_KEY=$(grep "^MESHY_API_KEY=" ".env" | head -1 | cut -d'=' -f2- | tr -d '"'"'" )
fi
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
fi

# 2. Check .env in current working directory only
if [ -f ".env" ] && grep -q "MESHY_API_KEY" ".env" 2>/dev/null; then
  echo "DOTENV(.env): FOUND"
  export MESHY_API_KEY=$(grep "^MESHY_API_KEY=" ".env" | head -1 | cut -d'=' -f2- | tr -d '"'"'" )
fi
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# 2. Check .env in current working directory only
if [ -f ".env" ] && grep -q "MESHY_API_KEY" ".env" 2>/dev/null; then
  echo "DOTENV(.env): FOUND"
  export MESHY_API_KEY=$(grep "^MESHY_API_KEY=" ".env" | head -1 | cut -d'=' -f2- | tr -d '"'"'" )
fi

# 3. Final status
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# --- Secure API key loading ---
def load_api_key():
    """Load MESHY_API_KEY from environment, then .env in cwd only."""
    key = os.environ.get("MESHY_API_KEY", "").strip()
    if key:
        return key
Confidence
60% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
key = os.environ.get("MESHY_API_KEY", "").strip()
    if key:
        return key
    env_path = os.path.join(os.getcwd(), ".env")
    if os.path.exists(env_path):
        with open(env_path) as f:
            for line in f:
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
| Animate a rigged character | Animation | `POST /openapi/v1/animations` | 3 |
| 2D image from text (recommended pre-step before image-to-3d) | Text to Image | `POST /openapi/v1/text-to-image` | 3 / 6 / 9 / 9 |
| Optimize/edit a 2D image (recommended pre-step before image-to-3d) | Image to Image | `POST /openapi/v1/image-to-image` | 3 / 6 / 9 / 12 |
| Photo → styled physical product (figure/lamp/keychain/fridge-magnet) | Creative Lab | `POST /openapi/creative-lab/{product}/v1/prototype` then `.../build` | 6 + 30 |
| Check FDM printability | Analyze Printability | `POST /openapi/v1/print/analyze` | **0 (free)** |
| Repair non-manifold/degenerate-face/hole topology | Repair Printability | `POST /openapi/v1/print/repair` | 10 |
| Multi-color 3D print | Multi-Color Print | `POST /openapi/v1/print/multi-color` | 10 (+ generation) |
Confidence
70% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
| Reference image is low-resolution / cluttered background / unclear subject / bad lighting | `/openapi/v1/image-to-image` with `nano-banana-pro` to clean up. |
| User wants to adjust style / colors / details | `/openapi/v1/image-to-image` for style transfer, then 3D-ify. |

3-9 extra credits typically buy a noticeable quality bump. Skip when the user already provided a clean studio-style image. Also skip for **Creative Lab** products (figure / lamp / keychain / fridge-magnet): they apply their own built-in stylization — feed the raw photo (or text, for lamp) straight to Creative Lab, not through text-to-image / image-to-image first.

### Image to 3D
Confidence
70% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
### Creative Lab Consumer Products

Turn a photo into a styled, printable physical product. Products: **figure**, **lamp**, **keychain**, **fridge-magnet**. Two stages (replace `{product}` with one of those):

1. **Prototype** (6 credits): photo → styled concept image.
2. **Build** (30 credits): runs image-to-3d on the SUCCEEDED prototype → textured GLB / OBJ+MTL.
Confidence
70% confidence
Finding
keychain

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Returns the full task object including `status`, `progress`, `model_urls`, `texture_urls`.

### DELETE /openapi/v2/text-to-3d/:id — Delete Task

Permanently deletes a task and all associated data.
Confidence
80% confidence
Finding
DELETE /openapi/v2/text-to-3d/:id

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Response:** `{"result": "<task_id>"}`

### GET /openapi/v1/image-to-3d/:id — Retrieve Task
### DELETE /openapi/v1/image-to-3d/:id — Delete Task
### GET /openapi/v1/image-to-3d — List Tasks
### GET /openapi/v1/image-to-3d/:id/stream — Stream Task
Confidence
80% confidence
Finding
DELETE /openapi/v1/image-to-3d/:id

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Response:** `{"result": "<task_id>"}`

### GET /openapi/v1/multi-image-to-3d/:id — Retrieve Task
### DELETE /openapi/v1/multi-image-to-3d/:id — Delete Task
### GET /openapi/v1/multi-image-to-3d — List Tasks
### GET /openapi/v1/multi-image-to-3d/:id/stream — Stream Task
Confidence
80% confidence
Finding
DELETE /openapi/v1/multi-image-to-3d/:id

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Response:** `{"result": "<task_id>"}`

### GET /openapi/v1/remesh/:id — Retrieve Task
### DELETE /openapi/v1/remesh/:id — Delete Task
### GET /openapi/v1/remesh — List Tasks
### GET /openapi/v1/remesh/:id/stream — Stream Task
Confidence
80% confidence
Finding
DELETE /openapi/v1/remesh/:id

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Response:** `{"result": "<task_id>"}`

### GET /openapi/v1/retexture/:id — Retrieve Task
### DELETE /openapi/v1/retexture/:id — Delete Task
### GET /openapi/v1/retexture — List Tasks
### GET /openapi/v1/retexture/:id/stream — Stream Task
Confidence
80% confidence
Finding
DELETE /openapi/v1/retexture/:id

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:137