stitch-vue-layui-components
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches design metadata and HTML content from Google Cloud Storage (withgoogle.com) using a dedicated bash script for reliability.
- [COMMAND_EXECUTION]: Invokes npm install for project setup and bash to execute the local fetch-stitch.sh script for resource retrieval.
- [PROMPT_INJECTION]: Presents an indirect prompt injection surface because it ingests and processes external design data from the Stitch MCP to generate source code.
- Ingestion points: Design JSON metadata from stitch-mcp-get-screen and the downloaded temp/source.html file.
- Boundary markers: Absent; there are no specific delimiters or instructions to ignore embedded commands in the design source.
- Capability inventory: Includes file writing (Write), bash command execution (Bash), and package installation (npm).
- Sanitization: Absent; the conversion logic directly translates design content into Vue template structures without validation or escaping.
Audit Metadata