stitch-design-md

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and parses arbitrary Stitch project HTML via the htmlCode.downloadUrl using scripts/fetch-stitch.sh and calls get_screen/get_project (including ingesting designTheme.designMd), which are untrusted/user-generated third-party contents that the agent reads and uses to generate DESIGN.md and Section 6 prompts that materially influence downstream behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill calls out to user-provided Stitch URLs like https://stitch.withgoogle.com/projects/3492931393329678076?node-id=375b1aadc9cb45209bee8ad4f69af450 and uses scripts/fetch-stitch.sh to download the HTML from the provided htmlCode.downloadUrl (GCS) at runtime, then parses that fetched content (including designMd and Tailwind/CSS tokens) to generate the DESIGN.md and the Section 6 prompt text — meaning runtime-fetched external content directly controls the agent's prompt/instructions.