stitch-loop
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill follows a 'baton-passing' pattern where it reads the next task from a local file (
.stitch/next-prompt.md). This creates a significant surface for indirect prompt injection, as an attacker who can modify project files (e.g., via a pull request) could inject malicious instructions that the agent would then execute autonomously. - Ingestion points:
.stitch/next-prompt.md,.stitch/SITE.md, and.stitch/DESIGN.mdare all read and used to construct prompts. - Boundary markers: Absent. The content of these files is used directly without delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent has permissions for file system operations (
Read,Write), command line execution (Bash), and interaction with web design tools (Stitch). - Sanitization: Absent. There is no logic to validate or sanitize the input from the 'baton' file before it is used to drive the next iteration.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to start a local development server usingnpx serve. Whileserveis a common utility,npxdynamically downloads and executes code from the npm registry at runtime. - [EXTERNAL_DOWNLOADS]: The skill is designed to download HTML and image assets from remote URLs generated by the Stitch MCP tool. While these are part of the intended workflow, the agent is instructed to fetch and save external content to the local filesystem.
Audit Metadata