Skills
skills/involvex/skills/stitch-design/Gen Agent Trust Hub

stitch-design

Warn

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The README.md includes an installation command referencing google-labs-code, which misleadingly suggests the skill is an official Google project. This contradicts the actual authorship by involvex and can lead to an incorrect assessment of the skill's trust level.
  • [COMMAND_EXECUTION]: Documentation in workflows/text-to-design.md directs the agent to execute shell commands (curl -o) using run_command. This tool is not listed in the allowed-tools section of SKILL.md, indicating an attempt to utilize unauthorized shell-level capabilities for file management.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch remote data using read_url_content and curl. Neither of these tools is included in the skill's allowed-tools frontmatter, suggesting operations that exceed the intended execution scope.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests and processes HTML content from external URLs to generate design system documentation.
  • Ingestion points: workflows/generate-design-md.md retrieves HTML from external URLs via read_url_content.
  • Boundary markers: There are no instructions or delimiters directing the agent to ignore potentially malicious instructions embedded within the fetched HTML content.
  • Capability inventory: The agent has permissions to write to the local filesystem (Write) and trigger design generation via StitchMCP based on synthesized data.
  • Sanitization: No sanitization or validation of the external HTML content is implemented before the agent analyzes it.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 26, 2026, 05:06 AM
Security Audit — agent-trust-hub — stitch-design