Stitch Ui Designer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s UI-design purpose is coherent, but it configures an unpinned external MCP package that may use Google Cloud credentials and create projects, so it needs review before use.
Before installing, verify the `stitch-mcp-auto` package source, prefer a pinned reviewed version, and use a dedicated least-privileged Google Cloud project. Confirm manually before creating any cloud project, and avoid putting sensitive product or customer details into UI prompts sent to Google Stitch.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An external package could run local code whenever the Stitch MCP server is used, and a later package update could change behavior without this skill changing.
This configures a persistent MCP server to execute an unpinned npm package via npx. The runnable package code is not included in the reviewed artifacts, so its provenance and future updates are not bounded.
mcporter config add stitch --command "npx" --args "-y stitch-mcp-auto"
Pin the package to a reviewed version, document its trusted source, and have the user explicitly approve the first-time mcporter configuration.
The agent may operate with a Google Cloud identity that has broader privileges than needed, potentially creating account resources or using the wrong project.
The skill may use Google Cloud credentials and can create a cloud project, but the instructions do not bound scopes, billing/project impact, account selection, or require explicit confirmation before project creation.
Ensure the user is authenticated with Google Cloud (the tool may prompt for `gcloud auth`). ... **create_project** ... *Use if no project exists.*
Use a least-privileged Google account/project, explicitly confirm before creating any project, and document the required auth scopes and environment variables.