pencil-design-from-stitch-html

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and usage.md explicitly require calling Stitch MCP get_screen and downloading HTML from the provided htmlCode.downloadUrl (Fetch HTML step) or accepting user-pasted HTML, then parsing the DOM and Tailwind classes to drive batch_design operations in Pencil, so arbitrary/untrusted third‑party page content is fetched and directly influences tool actions and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches HTML at runtime from Stitch (htmlCode.downloadUrl / URLs under https://stitch.withgoogle.com/projects/... e.g. https://stitch.withgoogle.com/projects/123/screen/456), and that fetched HTML is parsed and used to drive the agent's conversion/mapping logic (directly controlling generated instructions), so this is a runtime external dependency that controls agent behavior.