stitch-design
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface identified in the design system synthesis workflow where the agent processes untrusted external data.
- Ingestion points: In
workflows/generate-design-md.md, the agent is instructed to useread_url_contentto fetch HTML code from remote URLs for analysis. - Boundary markers: Absent. The instructions do not include delimiters or warnings to ignore embedded instructions within the fetched HTML content.
- Capability inventory: The skill utilizes the
Writetool to create local files (.stitch/DESIGN.md) and interacts with theStitchMCPservice, which could be influenced by malicious instructions in the ingested data. - Sanitization: Absent. There is no mention of validating or filtering the remote HTML content before processing it for design synthesis.
- [EXTERNAL_DOWNLOADS]: The skill performs remote downloads of assets to the local filesystem.
- Evidence: Workflows in
workflows/text-to-design.mdandworkflows/edit-design.mdinstruct the agent to download HTML and screenshots from URLs provided by the Stitch MCP tool output and save them to the.stitch/designsdirectory. - [COMMAND_EXECUTION]: The skill instructs the agent to use shell commands for file management.
- Evidence: In
workflows/text-to-design.md, the instructions explicitly suggest usingcurl -oviarun_commandto perform the asset downloads to the local project environment.
Audit Metadata