design-md
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): Significant Indirect Prompt Injection vulnerability surface.
- Ingestion points: Untrusted data enters the agent context through the Stitch MCP Server (
list_projects,get_screen) and theweb_fetchtool which downloads HTML content from dynamic URLs (SKILL.md, Retrieval and Networking steps 4-5). - Boundary markers: Absent. The instructions require the agent to parse and translate values directly from external HTML/metadata into the final
DESIGN.mdwithout delimiters or instructions to ignore embedded commands. - Capability inventory: The skill possesses
Writeprivileges to create/modify files andweb_fetchfor network operations. - Sanitization: None. There is no logic to filter or escape content retrieved from the
downloadUrlor project metadata. - Impact: An attacker who can influence a Stitch project's metadata or HTML source can inject instructions into the generated
DESIGN.md. Because this file is defined as the 'source of truth' for future screen generation, this creates a persistent injection that can control the agent's behavior in subsequent sessions. - [EXTERNAL_DOWNLOADS] (LOW): The skill is installed via
npxfromgoogle-labs-code/stitch-skills. Under the [TRUST-SCOPE-RULE], this is considered low risk as it originates from a trusted organization (Google). However, the skill's operational logic to fetch arbitrary remote content viaweb_fetchbased on MCP-provided URLs remains a vector for processing malicious payloads.
Recommendations
- AI detected serious security threats
Audit Metadata