stitchflow
Transforms briefs and mockups into UI screens and Tailwind-friendly HTML, enhancing design workflows with natural language input.
Install this skill
Security score
The stitchflow skill was audited on May 22, 2026 and we found 9 security issues across 3 threat categories, including 6 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 19 | It prefers native Stitch MCP tools when they are available in the current agent session, and falls back to the local toolkit at `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}` when they are not |
Template literal with variable interpolation in command context
| 23 | - Toolkit root: `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}` |
Template literal with variable interpolation in command context
| 24 | - API key is expected in `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/.env` |
Template literal with variable interpolation in command context
| 25 | - Outputs are saved to `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/runs` |
Template literal with variable interpolation in command context
| 26 | - The latest single-screen result is tracked in `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/runs/latest-screen.json` |
Template literal with variable interpolation in command context
| 132 | - the output folder under `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/runs` |
Access to .env file
| 24 | - API key is expected in `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/.env` |
Access to .env file
| 84 | 9. Never print or expose `STITCH_API_KEY` or `.env` contents. |
External URL reference
| 42 | url = "https://stitch.googleapis.com/mcp" |