N2 Stitch MCP
Security checks across malware telemetry and agentic risk
Overview
This looks like a real Google Stitch MCP proxy, but it needs Review because it runs an unpinned npm server with Google credentials and create/edit authority.
Install only if you trust the npm/GitHub package publisher. Prefer pinning a specific n2-stitch-mcp version, use a dedicated least-privilege Google credential or API key, avoid placing secrets in shared config or transcripts, and require confirmation before allowing the agent to create or edit important Stitch content.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
64/64 vendors flagged this skill as clean.