frontend-blueprint
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill interacts with Google Stitch (stitch.withgoogle.com) and its MCP server at stitch.googleapis.com. Google is a trusted organization and well-known service.
- [COMMAND_EXECUTION]: The skill defines and utilizes 14 specific MCP tools for project management and design generation within the Google Stitch environment.
- [DATA_EXFILTRATION]: No unauthorized data exfiltration was detected. The skill provides clear instructions for users to manage their own API keys for the Stitch service and includes security warnings against public disclosure.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes user-provided visual references, URLs, and screenshots in the design discovery phases. This risk is minimal given the intended design use-case and the use of trusted backend services.
- Ingestion points: Phase 2 (Reference Collection) and Phase 4 (Stitch Prototyping).
- Boundary markers: Absent.
- Capability inventory: Execution of MCP tools and framework-specific code generation.
- Sanitization: No sanitization is mentioned for the content of visual or external references.
Audit Metadata