Ai 3d Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for text-to-STL generation, but it asks agents to generate and run local Python code from prompts without enough safety boundaries.

Install only if you are comfortable reviewing or sandboxing generated Python before it runs. Use a disposable workspace or container, restrict output filenames to simple basenames, avoid enabling the cron example unless you intentionally want recurring generation, and verify the hardcoded virtualenv and dependencies before running the scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly describes an automated flow where an LLM generates Python code and that code is then executed to produce and export STL files, but it does not provide meaningful safety controls, sandboxing, or prominent warnings about executing untrusted generated code and writing to the filesystem. In this context, the generated script could perform arbitrary local actions beyond mesh generation, making the issue more dangerous than a simple documentation omission because the workflow normalizes code execution from model output.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal