Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The README states that, without a Tripo API key, requests are sent through an operator-controlled proxy at skills.vast-internal.com using a shared secret, but it does not clearly disclose the privacy and trust implications of routing user prompts, images, and generated asset metadata through that third party. This can mislead users into sending potentially sensitive content to infrastructure they do not control, increasing the risk of unintended data exposure or misuse.
