stitch-design
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the system-level
curlcommand to download HTML content from URLs provided in Stitch project metadata (e.g.,screenshot.downloadUrl). - [COMMAND_EXECUTION]: A PowerShell utility script (
scripts/stitch-to-react.ps1) performs automated environment setup, including directory creation, file writing, and execution of package manager commands. - [REMOTE_CODE_EXECUTION]: The skill invokes package managers (
npm,npx) to download and execute code from public registries for project initialization and component installation (e.g.,npm create vite@latest,npx shadcn@latest). - [EXTERNAL_DOWNLOADS]: Fetches external screen assets, HTML, and design data via the Stitch MCP server and network-enabled CLI tools.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface by design as it processes content from untrusted or external sources to drive its autonomous "Build Loop" workflow.
- Ingestion points: Reads task instructions from
next-prompt.md(the "baton") and HTML/JSON data retrieved via the Stitch MCP tools (SKILL.md, Part 3). - Boundary markers: The instructions do not define boundary markers or include safety directives to ignore embedded instructions within the processed data.
- Capability inventory: The skill has access to shell command execution (
curl), file system manipulation (stitch-to-react.ps1), and remote package installation/execution (npm,npx). - Sanitization: There is no evidence of input validation or sanitization for content retrieved from external design screens or local task files.
Audit Metadata