Stitch Ui Designer
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An external package could run local code whenever the Stitch MCP server is used, and a later package update could change behavior without this skill changing.
This configures a persistent MCP server to execute an unpinned npm package via npx. The runnable package code is not included in the reviewed artifacts, so its provenance and future updates are not bounded.
mcporter config add stitch --command "npx" --args "-y stitch-mcp-auto"
Pin the package to a reviewed version, document its trusted source, and have the user explicitly approve the first-time mcporter configuration.
The agent may operate with a Google Cloud identity that has broader privileges than needed, potentially creating account resources or using the wrong project.
The skill may use Google Cloud credentials and can create a cloud project, but the instructions do not bound scopes, billing/project impact, account selection, or require explicit confirmation before project creation.
Ensure the user is authenticated with Google Cloud (the tool may prompt for `gcloud auth`). ... **create_project** ... *Use if no project exists.*
Use a least-privileged Google account/project, explicitly confirm before creating any project, and document the required auth scopes and environment variables.