3D Maker Companion
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the skill directory may be able to read the saved Meshy API key.
The helper stores the Meshy API key in a local .env file. This is purpose-aligned, but it is still credential handling that users should understand.
def set_key(api_key):
env_path = os.path.join(os.path.dirname(__file__), "..", ".env")
with open(env_path, "w") as f:
f.write(f"MESHY_API_KEY={api_key}\n")Prefer an environment variable or ensure the .env file has appropriate local file permissions and is not shared or committed.
Prompts or image URLs used for generation are sent to Meshy, and generated tasks may affect the associated Meshy account usage.
The script creates authenticated Meshy API tasks using user-provided prompts or image URLs. This matches the skill purpose, but it can send content to an external service and may consume account credits.
response = requests.post(f"{API_URL_V2}/text-to-3d", headers=headers, json=payload)Only submit content you are comfortable sending to Meshy and confirm account usage or credit costs before running generation commands.
Running the setup may install or update a local Python package outside a locked dependency set.
The documented setup installs the requests package from PyPI without a pinned version. This is expected for the Python client, but it is still a dependency installation.
"command": "pip install requests"
Install in a virtual environment and pin or review dependencies if you need stricter reproducibility.