design-md
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill is designed to ingest and analyze external HTML content retrieved via
web_fetchfrom project-provided URLs (htmlCode.downloadUrl). - Ingestion points:
SKILL.mdinstructs the agent to download and parse HTML code from project metadata to extract design tokens. - Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore natural language commands embedded within the fetched HTML or CSS comments.
- Capability inventory: The skill utilizes the
Writetool to generate aDESIGN.mdfile and hasweb_fetchcapabilities. - Sanitization: No sanitization or validation of the external HTML content is performed before analysis.
- Data Exposure & Exfiltration (LOW): The skill uses
web_fetchto access URLs dynamically provided by the Stitch MCP server. While this is necessary for its function, it creates a surface for network operations to non-whitelisted domains if a project's metadata is maliciously crafted.
Audit Metadata