stitch-design
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFENO_CODE
Full Analysis
- NO_CODE (SAFE): The skill consists entirely of Markdown files and documentation. No Python scripts, JavaScript, shell commands, or executables are present in the provided files.
- Data Ingestion (LOW): The skill is designed to process HTML and CSS code exported from the external Google Stitch tool. While this represents a surface for indirect prompt injection (e.g., instructions hidden in HTML comments), the risk is mitigated as the skill's primary function is refactoring and mapping code to a local design system, and it lacks dangerous capabilities like automated command execution.
- File System Usage (SAFE): The skill documents the creation of design review files within the
.claude/workflow/directory. This is standard behavior for managing project state and does not involve accessing sensitive system paths or credentials. - External Links (SAFE): The skill references 'https://stitch.withgoogle.com', which is a legitimate Google domain for the AI design tool. No suspicious third-party domains or automated 'curl/wget' operations were detected.
Audit Metadata