The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill's core loop relies on reading the next-prompt.md file (the baton) to determine its next actions. Since this file is part of the working directory and intended to be modified, it serves as an indirect prompt injection vector. An attacker could inject malicious instructions into this file that the agent, given its Bash and Write permissions, might execute. Evidence: SKILL.md Step 1 and Step 6. \n- COMMAND_EXECUTION (HIGH): The agent is granted Bash access and instructed to perform operations such as starting a local server via npx serve. Combined with the autonomous loop and injection surface, this allows for arbitrary shell command execution in the host environment. Evidence: SKILL.md Step 4.5. \n- REMOTE_CODE_EXECUTION (HIGH): Use of npx to run the serve package involves downloading and executing code from the npm registry at runtime. This behavior is triggered by the agent's internal logic and could be manipulated via prompt injection. Evidence: SKILL.md Step 4.5.2. \n- EXTERNAL_DOWNLOADS (LOW): The skill downloads assets (HTML and images) from URLs provided by the Stitch MCP tool without validating the destination or URL content. Evidence: SKILL.md Step 3.4.

stitch-loop