Google Stitch MCP

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly scoped Google Stitch design-workflow guide, with remote project and screen changes aligned to its stated purpose and controlled by inspection and approval steps.

Install this if you intend to let your agent use an authenticated Google Stitch workspace for design exploration. Before running mutating actions, confirm the target project or screen, use test projects for experiments, and remember that generated or edited screens may remain in your remote Stitch account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documents destructive operations such as creating projects and editing or generating screens against a cloud-hosted Stitch workspace, but it does not clearly warn that these actions persist remotely in the user's account. In an agent setting, this can cause unintended modification, clutter, or overwrite of user assets because the user may assume the skill is informational or locally scoped.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal