Skills
skills/baphomet480/claude-skills/stitch-mcp/Gen Agent Trust Hub

stitch-mcp

Warn

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill encourages the use of pnpx @_davideast/stitch-mcp as the primary tool for agents. This command downloads and executes code from a non-official, individual-user-scoped NPM package that is not controlled by the skill author or a trusted organization.
  • [COMMAND_EXECUTION]: The CLI's init command is described as handling gcloud installation and credential management. This implies the tool performs high-risk environmental modifications and potentially privileged system commands.
  • [EXTERNAL_DOWNLOADS]: The skill instructions include using curl to download HTML and image assets from remote URLs (generated by the Stitch API) and writing them directly to the local filesystem in the .stitch/designs/ directory.
  • [PROMPT_INJECTION]: The skill's "Build Loop" and "Baton" system are vulnerable to indirect prompt injection.
  • Ingestion points: The agent is instructed to read instructions from .stitch/next-prompt.md and context from .stitch/DESIGN.md and .stitch/SITE.md (SKILL.md).
  • Boundary markers: The skill suggests a structured prompt format (e.g., "PAGE STRUCTURE" blocks) but lacks technical enforcement, delimiters, or explicit warnings to ignore embedded instructions in the ingested files.
  • Capability inventory: The agent possesses extensive capabilities including network access, file system writes, and the execution of external CLI tools (pnpx, npx).
  • Sanitization: There is no mention of sanitizing or validating the content of the ingested Markdown files before they influence the agent's next task.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 13, 2026, 07:26 PM