Skillv1.0.0

ClawScan security

N2 Stitch MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 13, 2026, 7:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description matches a Stitch proxy, but the runtime instructions rely on downloading and running external code (npx) and on Google ADC/API credentials that are not declared in the metadata — this mismatch and implicit external install raise caution.
Guidance: This skill appears to be what it says (a Stitch MCP proxy) but the instructions rely on downloading and running an npm package via npx and on Google ADC/API keys that are not declared in the registry metadata. Before installing or invoking it: - Inspect the npm package and the GitHub repo (https://github.com/choihyunsus/n2-stitch-mcp) to verify the code matches the described behavior and contains no unexpected network/credential exfiltration. - Avoid using broad Google ADC with high-privilege accounts; prefer a minimal-scope service account or a Stitch-only API key limited to necessary operations. - Consider pinning the package to a specific, audited version rather than using unfrozen npx pulls. - Run the MCP proxy in an isolated environment (container or sandbox) until you have audited it. - If possible, ask the publisher to include an install spec or the code in the bundle so it can be statically reviewed rather than relying on runtime npx fetch. Because of the mismatch between metadata and runtime instructions and the runtime fetching of code, treat this skill with caution unless you can audit the external package and credential scopes first.

Review Dimensions

Purpose & Capability: noteThe skill claims to be a resilient proxy for Google Stitch and the SKILL.md describes behavior consistent with that purpose (token refresh, retries, generation tracking). However the skill metadata declares no required credentials or binaries while the runtime docs explicitly instruct the user/agent to run 'gcloud auth application-default login' or export STITCH_API_KEY and to invoke 'npx n2-stitch-mcp' — credentials and an external package are needed in practice but not declared in the registry metadata.
Instruction Scope: concernRuntime instructions ask the agent/user to perform Google ADC login and/or set an API key, and to add an MCP entry that runs 'npx n2-stitch-mcp'. These steps grant the skill access to credentials (ADC) and allow dynamic download/execution of remote code. The SKILL.md also references 'auto-discovered' Stitch API tools and virtual tools, but provides no in-bundle code to implement them, giving broad discretion to whatever the npx package does.
Install Mechanism: concernThere is no install spec in the bundle, but the instructions rely on 'npx' to fetch and run the npm package at runtime. That means arbitrary code will be pulled from the npm registry when the MCP server is launched — a higher-risk install mechanism because the package fetched at runtime may differ from what's described and the skill bundle contains no code to audit.
Credentials: concernThe SKILL.md instructs use of Google application-default credentials (gcloud ADC) or an STITCH_API_KEY, but the registry metadata lists no required env vars or primary credential. ADC via gcloud can expose broad Google Cloud permissions beyond Stitch if the logged-in identity is overprivileged. The required secrets are not declared in the skill metadata, so there is a mismatch between claimed requirements and actual instructions.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide privileges in metadata. It instructs adding an MCP server entry (its own config) which is a normal plugin installation pattern. This is expected for MCP-style proxies.