stitch-loop
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill implements a 'baton-passing' pattern where the agent reads instructions for its next iteration from a local markdown file (
next-prompt.md). This creates a surface for indirect prompt injection as the agent's behavior is dictated by file content that could be influenced by external data or previous iterations. - Ingestion points: Task instructions are parsed from
next-prompt.md, and project roadmap context is read fromSITE.md. - Boundary markers: The skill uses YAML frontmatter to separate metadata from the prompt body, but lacks specific 'ignore' directives to prevent instruction overrides within the markdown body.
- Capability inventory: The agent has access to
Bash,Write,Read, and thestitchtoolset. - Sanitization: No sanitization or validation of the task prompt is performed before it is passed to the generation tools.
- [COMMAND_EXECUTION]: The execution protocol utilizes the
Bashtool to start a local development server usingnpx serve. This is a standard procedure for visual verification of web content but involves executing CLI commands. - [EXTERNAL_DOWNLOADS]: The skill is designed to download generated HTML and image assets from URLs (
downloadUrl) provided by the Stitch MCP tool. These assets are retrieved and saved to the local file system in a staging directory (queue/).
Audit Metadata