Skills
skills/partme-ai/stitch-skills/stitch-react-components/Gen Agent Trust Hub

stitch-react-components

Pass

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses a bash script (scripts/fetch-stitch.sh) to download HTML design files from Google Cloud Storage URLs provided by the Stitch MCP tool. This operation is used for high-reliability fetching of design assets.
  • [COMMAND_EXECUTION]: The agent is instructed to execute local shell commands and Node.js package manager commands (npm install, npm run dev, npm run validate) to set up the development environment and perform quality checks on generated components.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) because it processes untrusted external design data (JSON/HTML) retrieved from the Stitch API to generate React code.
  • Ingestion points: Design data is retrieved via stitch-mcp-get-screen and the fetch-stitch.sh script.
  • Boundary markers: None identified in the prompt templates.
  • Capability inventory: Includes file writing, shell script execution, and Node.js command execution.
  • Sanitization: Relies on the agent's internal logic and an optional validation script (npm run validate).
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 6, 2026, 08:32 AM