frontend-blueprint
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses a structured discovery process and integrates with Google Stitch, a prototyping tool from Google Labs (a well-known service). All external references and configuration instructions are legitimate and relate to the service's intended use.
- [PROMPT_INJECTION]: The skill processes user-supplied visual references and images, creating a potential surface for indirect prompt injection.
- Ingestion points: Visual references, URLs, and image uploads described in Phase 2 of SKILL.md and the upload_screens_from_images tool in references/stitch-integration.md.
- Boundary markers: The instructions lack explicit delimiters or safety warnings to ignore instructions embedded within the user-provided design data.
- Capability inventory: Includes MCP tools for project creation and screen editing (create_project, edit_screens, get_screen).
- Sanitization: There is no mention of sanitizing or validating external content before it influences the design synthesis or code generation phases.
- Note: This vulnerability surface is inherent to the skill's primary function as a design assistant and does not indicate malicious intent.
Audit Metadata