stitch-to-react
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local bash scripts (scripts/fetch-stitch.sh) and standard npm commands (npm install, npm run dev, npm run validate) to manage the development environment and process design files.
- [EXTERNAL_DOWNLOADS]: It downloads HTML and image assets from remote URLs obtained through the Stitch MCP tool, which is a core part of its design-to-code functionality.
- [PROMPT_INJECTION]: The skill processes external HTML data which creates a surface for indirect prompt injection; it also includes instructions to override default license headers.
Audit Metadata