stitch-ui-designer
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill's setup instructions require the agent to run 'npx -y stitch-mcp-auto'. This downloads code from the NPM registry without any version pinning or integrity checks.
- [COMMAND_EXECUTION] (HIGH): The skill uses 'mcporter' to configure and execute shell-based tools. The command 'mcporter config add stitch --command "npx" --args "-y stitch-mcp-auto"' grants the agent the ability to execute arbitrary commands via the NPM package runner.
- [REMOTE_CODE_EXECUTION] (HIGH): The use of 'npx' with the '-y' flag (auto-confirm) allows for the silent execution of remote code at runtime. If the package 'stitch-mcp-auto' is compromised or typosquatted, it leads to immediate system compromise.
- [DATA_EXPOSURE] (LOW): The workflow relies on 'gcloud auth' and environment variables like 'GOOGLE_CLOUD_PROJECT'. While no explicit exfiltration was found, the MCP server will have access to the user's Google Cloud credentials.
- [INDIRECT_PROMPT_INJECTION] (MEDIUM):
- Ingestion points: Untrusted UI code and screen data are fetched via 'stitch.fetch_screen_code' and 'stitch.generate_screen_from_text'.
- Boundary markers: None. The skill interpolates user descriptions directly into tool prompts.
- Capability inventory: The skill has the capability to 'save [code] to a file as requested', which is a write operation.
- Sanitization: None observed. Malicious instructions returned by the external Stitch service could potentially influence the agent when it processes the resulting HTML/CSS.
Recommendations
- AI detected serious security threats
Audit Metadata