stitch-uviewpro-components
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a local shell script (scripts/fetch-stitch.sh) to download HTML design data. The script uses curl to fetch content from provided URLs and save it to a temporary file, which is a standard procedure for retrieving design assets.
- [EXTERNAL_DOWNLOADS]: The skill downloads design metadata and assets from Stitch's infrastructure (Google Cloud Storage). This is a required step for the agent to analyze the design and perform the requested conversion to Vue code.
- [PROMPT_INJECTION]: The skill processes untrusted HTML data from external URLs, creating a surface for indirect prompt injection. Ingestion points: Design URLs and HTML content from Stitch. Boundary markers: Absent. Capability inventory: Bash, Read, Write tools are available across all instruction sets. Sanitization: The skill does not perform explicit sanitization of the design HTML before analysis.
Audit Metadata