stitch-vue-vant-components
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill includes a bash script (
scripts/fetch-stitch.sh) that usescurlto fetch design assets (HTML) from remote URLs provided by the Stitch MCP server. - [COMMAND_EXECUTION]: The skill utilizes command-line operations, including the execution of the included fetch script and standard development commands such as
npm installandnpm run devto set up and test the generated project. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted HTML content from external Stitch design URLs. Ingestion points: External HTML source is downloaded via
scripts/fetch-stitch.shand design metadata is retrieved through thestitch-mcp-get-screentool. Boundary markers: The skill does not implement specific delimiters or 'ignore' instructions for the processed HTML content. Capability inventory: The skill has access toBash(including network downloads via curl), the file system (Read/Write), and thenpmenvironment. Sanitization: There is no explicit sanitization step described for the downloaded HTML before the agent parses it to generate Vue components.
Audit Metadata