The Agent Skills Directory

[COMMAND_EXECUTION]: The skill requires the execution of a local shell script (scripts/fetch-stitch.sh) and npm commands such as npm install and npm run dev. Running local scripts with arguments derived from external metadata (like downloadUrl) increases the risk of command injection if the input is not handled securely by the agent or the underlying script.
[EXTERNAL_DOWNLOADS]: The workflow involves fetching HTML and image assets from remote URLs provided by the Stitch MCP server. This introduces a dependency on external infrastructure and subjects the environment to risks associated with downloading and processing remote content.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting design metadata and HTML source code from an external source to generate React components. Maliciously crafted design data could contain instructions intended to influence the agent's behavior or inject vulnerabilities into the generated source code.
Ingestion points: Design metadata from stitch:get_screen and HTML content from htmlCode.downloadUrl (SKILL.md).
Boundary markers: Absent. The skill does not provide delimiters or instructions to ignore embedded commands in the processed HTML data.
Capability inventory: Bash (command execution), Write (file creation), Read (file access), and web_fetch (network access).
Sanitization: The skill provides manual instructions to quote URLs in shell commands to prevent interpolation errors, but it lacks sanitization for the data being transformed into React code.
[REMOTE_CODE_EXECUTION]: The instruction to run npm install triggers the download and execution of packages from the npm registry. While standard for modern web development, this involves a supply-chain risk if the project dependencies are compromised or if the package.json (not provided) contains malicious lifecycle scripts.

stitch-to-react