stitch-loop
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an iterative baton-passing pattern that creates a surface for indirect prompt injection.
- Ingestion points: Task instructions are read from .stitch/next-prompt.md and context from .stitch/SITE.md and .stitch/DESIGN.md.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when processing these files.
- Capability inventory: The agent has access to Bash (for file moves and starting npx serve), Write (for updating project state), and specialized tools for page generation and browser control.
- Sanitization: There is no mechanism described for validating or escaping content read from context files before it is used in subsequent prompts or operations.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to perform standard file system and environment operations.
- Evidence: Instructions in Step 4 move files between directories, and Step 4.5 uses Bash to start a local development server using npx serve.
- [EXTERNAL_DOWNLOADS]: The skill performs network requests to retrieve generated assets from the platform.
- Evidence: Step 3 directs the agent to download HTML and screenshots from URLs provided by the Stitch MCP server to populate the local project directory.
Audit Metadata