ClawHub

Stitch Design

v1.2.3

Official Google Stitch SDK wrapper for OpenClaw. Requires only STITCH_API_KEY. Generate UI screens from text, apply targeted edits, branch variants, export H...

1· 219·0 current·0 all-time
by@rasimme
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description claim an official Google Stitch SDK wrapper and the package requests only a STITCH_API_KEY and Node — which matches the expected needs of a Stitch CLI. The code modules (download, artifacts, events, names, design-system) implement local artifact storage, event logging, aliasing, and restricted local design-system loading; these are coherent with the stated features (generate/edit/variants, export, local artifacts). No unrelated cloud credentials or binaries are required.
Instruction Scope
SKILL.md instructs running the bundled Node CLI (node scripts/stitch.mjs), installing Node dependencies in scripts/, and declares network access only to Google Stitch APIs and Google-hosted screenshot URLs. The code shows local writes are limited to runs/, state/, and latest-screen.json as documented. The design-system loader only reads markdown from the local design-systems/ directory and validates slugs. I saw no instructions to read other system files or to send data to endpoints outside the Stitch/CDN ecosystem.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md requires running `cd scripts && npm install`, which will pull @google/stitch-sdk and transitive npm packages. This is expected for an SDK wrapper but introduces the usual npm-supply-chain risk (moderate). There are no arbitrary URL downloads or obscure extract/install steps in the provided files.
Credentials
Only STITCH_API_KEY is declared as required and is used as the primary credential (SDK uses X-Goog-Api-Key). No other SECRET/TOKEN/PASSWORD env vars are requested. Local state and artifacts are written under the skill's folders. The code does not appear to require unrelated credentials or config paths.
Persistence & Privilege
The skill is not force-enabled (always:false) and does not request elevated platform privileges. It persists only its own artifacts (runs/, state/, latest-screen.json) and does not modify other skills or system-wide config. Autonomous model invocation is allowed (default) but is not combined with other concerning privileges.
Assessment
This skill appears to be what it says: a Node CLI wrapper around Google Stitch that needs only STITCH_API_KEY and writes artifacts under its own folders. Before installing: 1) Confirm the STITCH_API_KEY you supply is limited for Stitch usage (do not reuse high-privilege keys); rotate it if you stop using the skill. 2) Run the `npm install` step in an environment you control (or inspect the scripts/package.json first) because it will pull @google/stitch-sdk and transitive packages. 3) If you want higher assurance, review the main CLI (scripts/stitch.mjs) before use — my assessment used the modules shown but that file is large and not fully included above. 4) Expect the agent to contact stitch.googleapis.com and Google CDN screenshot URLs and to save HTML/PNG and JSON locally under the skill directory. 5) If you have strict network/data policies, run the skill in an isolated environment or container. If you want, I can inspect the full scripts/stitch.mjs for any unexpected network endpoints or behaviors to raise confidence to high.

Like a lobster shell, security has layers — review code before you run it.

latestvk975vaxjbp16j52mya7h70aeax83v69d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binnode, node18, node20, node22
EnvSTITCH_API_KEY
Primary envSTITCH_API_KEY

Comments