ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

N2 Stitch MCP

Resilient MCP proxy for Google Stitch — 3-layer safety (auto-retry, token refresh, TCP drop recovery).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 611 · 1 current installs · 1 all-time installs
by@choihyunsus
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to be a resilient proxy for Google Stitch and the SKILL.md describes behavior consistent with that purpose (token refresh, retries, generation tracking). However the skill metadata declares no required credentials or binaries while the runtime docs explicitly instruct the user/agent to run 'gcloud auth application-default login' or export STITCH_API_KEY and to invoke 'npx n2-stitch-mcp' — credentials and an external package are needed in practice but not declared in the registry metadata.
!
Instruction Scope
Runtime instructions ask the agent/user to perform Google ADC login and/or set an API key, and to add an MCP entry that runs 'npx n2-stitch-mcp'. These steps grant the skill access to credentials (ADC) and allow dynamic download/execution of remote code. The SKILL.md also references 'auto-discovered' Stitch API tools and virtual tools, but provides no in-bundle code to implement them, giving broad discretion to whatever the npx package does.
!
Install Mechanism
There is no install spec in the bundle, but the instructions rely on 'npx' to fetch and run the npm package at runtime. That means arbitrary code will be pulled from the npm registry when the MCP server is launched — a higher-risk install mechanism because the package fetched at runtime may differ from what's described and the skill bundle contains no code to audit.
!
Credentials
The SKILL.md instructs use of Google application-default credentials (gcloud ADC) or an STITCH_API_KEY, but the registry metadata lists no required env vars or primary credential. ADC via gcloud can expose broad Google Cloud permissions beyond Stitch if the logged-in identity is overprivileged. The required secrets are not declared in the skill metadata, so there is a mismatch between claimed requirements and actual instructions.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges in metadata. It instructs adding an MCP server entry (its own config) which is a normal plugin installation pattern. This is expected for MCP-style proxies.
What to consider before installing
This skill appears to be what it says (a Stitch MCP proxy) but the instructions rely on downloading and running an npm package via npx and on Google ADC/API keys that are not declared in the registry metadata. Before installing or invoking it: - Inspect the npm package and the GitHub repo (https://github.com/choihyunsus/n2-stitch-mcp) to verify the code matches the described behavior and contains no unexpected network/credential exfiltration. - Avoid using broad Google ADC with high-privilege accounts; prefer a minimal-scope service account or a Stitch-only API key limited to necessary operations. - Consider pinning the package to a specific, audited version rather than using unfrozen npx pulls. - Run the MCP proxy in an isolated environment (container or sandbox) until you have audited it. - If possible, ask the publisher to include an install spec or the code in the bundle so it can be statically reviewed rather than relying on runtime npx fetch. Because of the mismatch between metadata and runtime instructions and the runtime fetching of code, treat this skill with caution unless you can audit the external package and credential scopes first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk976rz50rkjcbsw0ecz3bfjqr1812r7j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

🛡️ N2 Stitch MCP — Resilient Proxy Skill

Never lose a screen generation again. The only Stitch MCP proxy with TCP drop recovery.

The Problem

Google Stitch's generate_screen_from_text takes 2–10 minutes, but the API drops TCP after ~60 seconds.

Other MCP servers:  Request → 60s → TCP drop → ❌ LOST!
N2 Stitch MCP:      Request → 60s → TCP drop → 🛡️ Auto-recovery → ✅ Delivered!

Why This One?

FeatureOthersN2 Stitch MCP
TCP Drop Recovery✅ Auto-polling
Generation Trackinggeneration_status
Exponential Backoff✅ 3x retry + jitter
Auto Token Refresh⚠️✅ Background refresh
Test Suite✅ 35 tests

Quick Setup

1. Authenticate (one-time)

# Option A: gcloud (recommended)
gcloud auth application-default login

# Option B: API Key
export STITCH_API_KEY="your-key"

2. Add to MCP Config

{
  "mcpServers": {
    "n2-stitch": {
      "command": "npx",
      "args": ["-y", "n2-stitch-mcp"]
    }
  }
}

Available Tools

Stitch API (auto-discovered)

  • create_project — Create a Stitch project
  • list_projects — List all projects
  • get_project — Get project details
  • list_screens — List screens in a project
  • get_screen — Get screen HTML/CSS
  • generate_screen_from_text — ✨ Generate UI from text (Resilient!)
  • edit_screens — Edit existing screens
  • generate_variants — Generate design variants

Virtual Tools (N2 Exclusive)

  • generation_status — Check generation progress in real-time
  • list_generations — List all tracked generations

Links

Part of the N2 AI Body series — Building the Body for AI

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…