stitch-loop
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill reads task instructions from
next-prompt.mdto drive an autonomous loop. [Ingestion: next-prompt.md; Boundaries: YAML frontmatter only; Capabilities: Bash, Write, stitch*:*; Sanitization: None]. Malicious content in the baton file or poisoned output from a previous iteration can hijack the agent's logic and control future actions. - Dynamic Execution (HIGH): The
{page}variable extracted from the untrusted baton file is used in Bash commands (Step 4.5 starts a dev server) and file moves (Step 4) without sanitization. This enables command injection and directory traversal if the filename contains shell metacharacters or path segments like../. - Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill downloads HTML and image assets from remote URLs provided by the Stitch tool output and saves them to the local filesystem without verification. This poses a risk if the generation service is compromised or the URLs are manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata