Skills
skills/partme-ai/stitch-skills/stitch-vue-bootstrap-components/Gen Agent Trust Hub

stitch-vue-bootstrap-components

Pass

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill utilizes a bash script located at scripts/fetch-stitch.sh to download design assets (HTML and screenshots) from remote URLs. These URLs are provided dynamically by the stitch-mcp-get-screen tool.
  • [COMMAND_EXECUTION]: The agent is instructed to use the Bash tool to execute the fetch-stitch.sh script and manage project environments using npm install.
  • [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection (Category 8):
  • Ingestion points: The skill downloads external HTML content into the agent's workspace via scripts/fetch-stitch.sh.
  • Boundary markers: There are no instructions for the agent to use delimiters or ignore instructions embedded within the downloaded HTML during the conversion process.
  • Capability inventory: The agent has Bash, Write, and Read capabilities, which could be exploited if the agent follows instructions hidden in the design files.
  • Sanitization: The skill does not define any sanitization or validation steps for the fetched HTML before it is parsed and used to generate component code.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 6, 2026, 08:32 AM