Is a2mus/stitch-ui-designer safe?

https://github.com/openclaw/skills/tree/main/skills/a2mus/stitch-ui-designer

77
CAUTION

This skill is a thin prompt layer that bootstraps Google Stitch UI design via a third-party npm package (stitch-mcp-auto) installed with npx -y. The primary risk is supply chain: the skill auto-installs and runs an unscoped npm package as a persistent MCP server without explicit user confirmation. No direct malicious behavior was detected during installation monitoring, and all canary files remained intact.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH Auto-installs unverified npm package via npx -y -30

The skill instructs the agent to run 'npx -y stitch-mcp-auto', which automatically downloads and executes an npm package without any user confirmation prompt. The -y flag bypasses npx's interactive confirmation. This npm package then runs as an MCP server with access to the agent's tool ecosystem. If the package is compromised or malicious, it gains arbitrary code execution on the user's machine.

MEDIUM Unscoped third-party npm package poses supply chain risk -15

The package 'stitch-mcp-auto' is not published under an official Google npm scope (e.g., @google/stitch-mcp). The skill describes it as handling 'complex Google auth setup more gracefully than the standard package,' suggesting it is a third-party convenience wrapper. Unscoped packages are more susceptible to typosquatting and supply chain attacks. The provenance and maintainer of this package cannot be verified from the skill alone.

MEDIUM Agent auto-configures persistent MCP server without explicit consent step -12

The skill workflow instructs the agent to check if a stitch MCP server is configured, and if not, to silently add one via mcporter. This creates a persistent background service configuration that outlives the skill invocation. While MCP configuration is the skill's stated purpose, there is no instruction to confirm with the user before adding the server.

LOW Persistent MCP server process from npm package -10

Once configured via mcporter, stitch-mcp-auto runs as a persistent MCP server process. MCP servers can expose tools, read files, and make network requests depending on their implementation. The security boundary depends entirely on what stitch-mcp-auto implements, which is outside the scope of this skill's SKILL.md.

LOW Google Cloud authentication expands attack surface -10

The skill may prompt for gcloud auth and references GOOGLE_CLOUD_PROJECT environment variable. While expected for Google Stitch functionality, this grants the MCP server access to the user's Google Cloud resources if authentication succeeds.

INFO No hidden instructions or manipulation techniques detected 0

The SKILL.md contains no invisible unicode characters, HTML comments hiding instructions, persona override attempts, or references to external URLs for the agent to fetch. The prompt content matches its stated purpose.

INFO Clean installation with no anomalous activity 0

Installation monitoring detected only expected behavior: GitHub clone traffic, system service activity, and JIT compilation artifacts. No unexpected network connections, process spawning, or filesystem access outside normal parameters.