Stitch Ui Designer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: stitch-ui-designer Version: 1.0.0 The skill instructs the agent to configure `mcporter` to execute `npx stitch-mcp-auto` via `SKILL.md`. This introduces a significant supply chain risk, as `npx` downloads and runs an external npm package (`stitch-mcp-auto`), which could potentially contain malicious code or access sensitive Google Cloud credentials during the `gcloud auth` process. While the stated purpose is benign, the method of executing an arbitrary npm package via `npx` is a high-risk capability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An external package could run local code whenever the Stitch MCP server is used, and a later package update could change behavior without this skill changing.
This configures a persistent MCP server to execute an unpinned npm package via npx. The runnable package code is not included in the reviewed artifacts, so its provenance and future updates are not bounded.
mcporter config add stitch --command "npx" --args "-y stitch-mcp-auto"
Pin the package to a reviewed version, document its trusted source, and have the user explicitly approve the first-time mcporter configuration.
The agent may operate with a Google Cloud identity that has broader privileges than needed, potentially creating account resources or using the wrong project.
The skill may use Google Cloud credentials and can create a cloud project, but the instructions do not bound scopes, billing/project impact, account selection, or require explicit confirmation before project creation.
Ensure the user is authenticated with Google Cloud (the tool may prompt for `gcloud auth`). ... **create_project** ... *Use if no project exists.*
Use a least-privileged Google account/project, explicitly confirm before creating any project, and document the required auth scopes and environment variables.