stitch-design-md

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs calling Stitch MCP (e.g., [prefix]:get_screen / get_project) and then using web_fetch to download and parse HTML from htmlCode.downloadUrl and screenshots (screenshot.downloadUrl) returned by Stitch MCP, which are user/project-provided assets that the agent ingests and uses to drive design decisions, enabling untrusted third-party content to influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill fetches Stitch project assets at runtime (e.g. https://stitch.withgoogle.com/projects/... and the htmlCode.downloadUrl returned by stitch-mcp-get-screen) and directly uses the downloaded HTML/screenshot content to synthesize DESIGN.md and inject Section 6 into Stitch prompts, so external content can control the agent's prompts.