Skills
skills/gabelul/stitch-kit/stitch-loop/Gen Agent Trust Hub

stitch-loop

Pass

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill uses an iterative 'baton' system where the agent reads the prompt for its next task from next-prompt.md. This creates a surface for indirect prompt injection, as instructions or data from project files are directly interpolated into the prompts for the Stitch MCP generation tool.
  • Ingestion points: next-prompt.md, DESIGN.md, and SITE.md (SKILL.md Step 1 & 2).
  • Boundary markers: The skill uses bold headers (e.g., 'DESIGN SYSTEM (REQUIRED):') but lacks explicit instructions to the model to ignore any embedded malicious directions within the processed data.
  • Capability inventory: The agent has Bash (command execution), Write (file modification), and the ability to trigger code/UI generation via the stitch toolset.
  • Sanitization: There is no evidence of sanitization or escaping of the content read from the markdown files before it is used in the generation prompt.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute local scripts and start development services.
  • Evidence: Execution of bash scripts/fetch-stitch.sh to download generated assets (SKILL.md Step 3).
  • Evidence: Use of npx serve to launch a local web server for visual verification (SKILL.md Step 4.5).
  • [EXTERNAL_DOWNLOADS]: The skill fetches HTML and image assets from remote URLs provided by the Stitch MCP tool.
  • Evidence: Downloads content from [htmlCode.downloadUrl] using a local bash script. These URLs typically point to Google Cloud Storage (GCS) as part of the Stitch service ecosystem.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 21, 2026, 02:42 AM