ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stitch Ui Designer

Design, preview, and generate UI code using Google Stitch (via MCP). Helps developers choose the best UI by generating previews first, allowing iteration, and then exporting code.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.1k · 3 current installs · 3 all-time installs
byMus Titou@a2mus
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (design & export UIs via Google Stitch) align with the runtime actions (call stitch.generate_screen_from_text, fetch image/code). Requiring npx and an MCP runner (mcporter) is consistent. However, the SKILL.md references Google Cloud authentication and the GOOGLE_CLOUD_PROJECT env var but the skill lists no required env vars or primary credential — that omission is inconsistent and could hide necessary access to user GCP credentials.
Instruction Scope
The instructions stay within the UI-design flow: configure mcporter, run stitch commands to generate previews and code, and only fetch code after user approval. They do instruct performing gcloud auth and possibly configuring a project ID, which implies use of user Google credentials. The instructions do not request arbitrary filesystem scans or unrelated credentials, but they give the agent discretion to run npx and mcporter commands which may execute arbitrary remote code.
!
Install Mechanism
There is no install spec (instruction-only), which lowers direct risk, but the skill explicitly instructs using `npx -y stitch-mcp-auto` and `mcporter`. npx will fetch and execute code from the npm registry (remote code execution risk) and mcporter is an unfamiliar binary with no provenance or install guidance in the skill. The skill does not document how mcporter should be obtained or vetted.
!
Credentials
The skill does not declare required env vars or credentials, yet the README explicitly expects Google Cloud authentication and mentions the GOOGLE_CLOUD_PROJECT env var. Requesting (or prompting for) gcloud auth is appropriate for a Google Stitch integration, but the lack of declared credentials/primaryEnv is a mismatch and prevents informed consent about which secrets will be used or needed.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system configuration in its spec. It permits autonomous invocation (platform default), but nothing in the metadata indicates it would modify other skills or system-wide settings.
What to consider before installing
This skill looks like a legitimate UI-design wrapper for Google Stitch, but it depends on two external tools (mcporter and an npm package run via npx) and on your Google Cloud credentials. Before installing or using it: 1) Confirm where mcporter comes from and whether you trust that binary; ask the seller/source for provenance or an install URL. 2) Inspect the stitch-mcp-auto npm package (its npm page, repository, and recent releases) before allowing npx to run it — npx executes remote code. 3) When prompted to run gcloud auth, be mindful of the scopes requested; prefer granting minimal scopes and use a dedicated project/service account, not your personal account. 4) If possible, run initial tests in an isolated environment (throwaway project or VM) to limit blast radius. 5) Ask the skill publisher to declare required env vars (e.g., GOOGLE_CLOUD_PROJECT) and provide install instructions for mcporter to make the integration auditable.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975v1dvmry86s0b38m2ypggj980r8k7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Binsnpx, mcporter

SKILL.md

Stitch UI Designer

This skill allows you to design high-quality user interfaces using Google Stitch.

Workflow

Follow this process to help the user design a UI:

  1. Setup (First Time Only)

    • Check if the stitch server is configured in mcporter.
    • If not, configure it: mcporter config add stitch --command "npx" --args "-y stitch-mcp-auto"
    • Ensure the user is authenticated with Google Cloud (the tool may prompt for gcloud auth).

  2. Generate & Preview

    • Ask for a description of the interface (e.g., "Login screen for a crypto app").
    • Use stitch.generate_screen_from_text with the prompt.
    • Important: This returns a screenId.
    • Immediately fetch the preview image using stitch.fetch_screen_image(screenId).
    • Show the image to the user. Do not fetch the code yet.

  3. Iterate & Customize

    • Ask the user for feedback on the preview.
    • If changes are needed, use stitch.generate_screen_from_text again (potentially using stitch.extract_design_context from the previous screen to maintain style) or just refine the prompt.
    • Show the new preview.

  4. Export Code

    • Once the user approves the design ("This looks great"), fetch the code.
    • Use stitch.fetch_screen_code(screenId).
    • Present the HTML/CSS code or save it to a file as requested.

Tools (via mcporter)

Call these using mcporter call stitch.<tool_name> <args>:

  • generate_screen_from_text

    • Args: prompt (string), projectId (optional, usually auto-detected by stitch-mcp-auto)
    • Returns: screenId, name, url
    • Use this to start a design.

  • fetch_screen_image

    • Args: screenId (string)
    • Returns: Image data (display this to the user).
    • Use this to show the preview.

  • fetch_screen_code

    • Args: screenId (string)
    • Returns: html (string), css (string), etc.
    • Use this ONLY after user approval.

  • create_project

    • Args: name (string)
    • Use if no project exists.

Tips

  • Project Context: stitch-mcp-auto tries to manage the project ID automatically. If you get errors about missing project IDs, ask the user to create or select a Google Cloud project first using create_project or by setting the GOOGLE_CLOUD_PROJECT env var.
  • Preview First: Always prioritize the visual preview. Generating code for a bad design wastes tokens and time.
  • Stitch MCP Auto: We use stitch-mcp-auto because it handles the complex Google auth setup more gracefully than the standard package.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…