Stitch Design Agent

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent design-integration purpose, but it can use broad Google credentials, modify the active codebase, install packages, and run commands without a clear approval checkpoint.

Review before installing. Use only least-privilege Google credentials, avoid broad or long-lived tokens where possible, run it on a branch, require the agent to show planned files and diffs before writing, and approve each npm install or npm script command before it runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill explicitly tells the agent to run `npm install <pkg>` for libraries referenced by generated code, allowing dependency changes based on untrusted remote output. This expands the skill from design integration into arbitrary package installation, increasing supply-chain and unintended code-execution risk during installation scripts.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill authorizes broad shell execution for `tsc`, lint autofix, and related operations after integrating remote-generated code. Even if intended for verification, these commands can trigger project-defined scripts, plugins, or side effects outside the narrow scope of fetching and placing a design component.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough that the skill may activate on generic UI-generation requests, causing external API calls and code modifications when the user did not specifically intend Stitch integration. Unintended invocation is dangerous here because the skill performs network access, file writes, and command execution automatically.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to automatically write files, inject imports/JSX, and run verification commands without a clear user-facing consent checkpoint. Hidden side effects materially raise risk because the skill modifies the active codebase and executes commands based on code produced by an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal