stitch-design-system

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Retrieval Workflow (Step 4/Step 5) instructs the agent to download and parse HTML from the screen's htmlCode.downloadUrl via web_fetch (user/project-provided HTML/CSS assets), which is untrusted user-generated content that the agent must read and use to drive synthesis and subsequent prompting, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly calls web_fetch at runtime to download and parse htmlCode.downloadUrl (and related screenshot.downloadUrl) and uses that fetched HTML to extract tokens and drive the DESIGN.md synthesis, so remote content at those downloadUrl endpoints can directly control prompts/instructions.