Skills
skills/google-labs-code/stitch-sdk/stitch-sdk-usage/Gen Agent Trust Hub

stitch-sdk-usage

Pass

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches the @google/stitch-sdk package from the npm registry. This package is maintained by a well-known technology provider.\n- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by accepting and processing user-controlled text strings for UI generation.\n
  • Ingestion points: User-supplied text prompts in the generate, edit, and variants methods in SKILL.md.\n
  • Boundary markers: None; prompts are passed as raw strings to the SDK methods.\n
  • Capability inventory: SDK methods execute network requests to stitch.googleapis.com and access the local file system via the uploadImage function as described in SKILL.md.\n
  • Sanitization: No sanitization or validation of the input prompt is described in the SDK documentation.
Audit Metadata
Risk Level
SAFE
Analyzed
May 8, 2026, 02:12 AM