The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The installation and configuration sections in SKILL.md recommend running 'npx -y stitch-mcp'. This command fetches and executes code from an unverified package on the NPM registry. The underlying source code is hosted in a third-party repository (Kargatharaakash/stitch-mcp) which has not been verified for safety, posing a risk of executing unvetted code.
[PROMPT_INJECTION]: The 'Build Loop' pattern described in the 'Advanced Patterns' section of SKILL.md introduces an indirect prompt injection vulnerability. It instructs the agent to read task instructions from a file named 'next-prompt.md' and use that content to generate screens. 1. Ingestion points: 'next-prompt.md' file content is read and processed in Step 1 of the 'Execution Protocol'. 2. Boundary markers: The file uses YAML frontmatter, but the markdown body is used directly as a prompt without delimiters. 3. Capability inventory: The skill uses 'mcp__stitch__generate_screen_from_text', 'Write', 'Edit', and 'Bash' tools across its scripts. 4. Sanitization: There are no documented steps for sanitizing or validating the content read from the 'baton' file before it is used to drive agent actions.
[COMMAND_EXECUTION]: The documentation includes instructions to modify shell profile files (.bashrc, .zshrc) using 'bash' or 'edit' tools to set environment variables. Modification of shell initialization scripts can be leveraged for persistence or environment manipulation.
[DATA_EXFILTRATION]: In resources/stitch-api-reference.md, the documentation specifies that the 'get_screen' tool returns a 'downloadUrl' which the agent should fetch using 'curl'. This allows an external service (the MCP server) to provide arbitrary URLs that the agent will attempt to access, which could be used to exfiltrate data or fetch malicious content.

moai-platform-stitch