stitch-loop
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches HTML code and screenshot assets from Stitch's official download URLs (e.g., stitch.withgoogle.com). These resources are provided by a well-known service associated with Google and are necessary for the skill's primary function of site generation.\n- [COMMAND_EXECUTION]: Uses the Bash tool to perform file system operations, such as moving assets to the production folder, and to start a local development server (npx serve) for visual verification of the generated pages.\n- [PROMPT_INJECTION]: The skill utilizes a 'baton' file (next-prompt.md) to store prompts for subsequent iterations. This creates a surface for indirect prompt injection where external modifications to the file could influence the agent's future actions. This is documented as a core feature for autonomous looping.\n
- Ingestion points: Reads instructions from next-prompt.md at the start of each build cycle.\n
- Boundary markers: Absent; the skill directly parses the baton file as task instructions.\n
- Capability inventory: Includes the ability to execute shell commands, write files, and interact with the Stitch MCP tools.\n
- Sanitization: No specific sanitization or validation of the baton file's content is described before processing.
Audit Metadata