ClawHub

Meshy AI

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Meshy.ai helper that sends user-selected prompts or images to Meshy and saves generated assets locally, with some privacy and scoping cautions but no hidden or malicious behavior found.

Install only if you are comfortable sending prompts and selected images to Meshy.ai under your Meshy account. Use the default Meshy endpoint unless you deliberately trust another MESHY_BASE_URL, and choose an output directory where generated files may be written.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill uses environment variables and network access but does not declare those capabilities as permissions. This creates a transparency and policy-enforcement gap: users or orchestrators may invoke the skill without understanding it will access secrets and make outbound API calls, increasing the chance of unintended secret use or data egress.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly instructs users to provide a local image file for an image-to-3D workflow that sends data to the Meshy.ai REST API, but it does not warn that the local image will be transmitted to a third-party service. This can lead users to upload sensitive, proprietary, or personal images without informed consent, especially because the skill emphasizes convenience and local file usage while downplaying the remote processing step.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The download function fetches arbitrary URLs and writes the response to an arbitrary local path without validation, restriction, or any confirmation step. In an agent context, if an upstream caller can influence the URL or output path, this can enable server-side request forgery to internal resources and unintended file overwrite/write on disk, which is more dangerous because this skill is explicitly designed to save remote outputs locally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal