← Back to Skills Marketplace

N2 Stitch MCP

Name: N2 Stitch MCP
Author: choihyunsus

by choihyunsus · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

891

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install n2-stitch-mcp

Description

Resilient MCP proxy for Google Stitch — 3-layer safety (auto-retry, token refresh, TCP drop recovery).

Usage Guidance

This skill appears to be what it says (a Stitch MCP proxy) but the instructions rely on downloading and running an npm package via npx and on Google ADC/API keys that are not declared in the registry metadata. Before installing or invoking it: - Inspect the npm package and the GitHub repo (https://github.com/choihyunsus/n2-stitch-mcp) to verify the code matches the described behavior and contains no unexpected network/credential exfiltration. - Avoid using broad Google ADC with high-privilege accounts; prefer a minimal-scope service account or a Stitch-only API key limited to necessary operations. - Consider pinning the package to a specific, audited version rather than using unfrozen npx pulls. - Run the MCP proxy in an isolated environment (container or sandbox) until you have audited it. - If possible, ask the publisher to include an install spec or the code in the bundle so it can be statically reviewed rather than relying on runtime npx fetch. Because of the mismatch between metadata and runtime instructions and the runtime fetching of code, treat this skill with caution unless you can audit the external package and credential scopes first.

Capability Analysis

Type: OpenClaw Skill Name: n2-stitch-mcp Version: 1.0.0 The `SKILL.md` file instructs the OpenClaw agent to execute an external npm package via `npx -y n2-stitch-mcp`. This command fetches and runs code from the npm registry, introducing a significant supply chain risk and a potential remote code execution vulnerability if the external package were compromised or malicious. While the stated purpose is to provide a resilient proxy, the method of execution involves running arbitrary external code, which is a high-risk behavior.

Capability Assessment

ℹ Purpose & Capability

The skill claims to be a resilient proxy for Google Stitch and the SKILL.md describes behavior consistent with that purpose (token refresh, retries, generation tracking). However the skill metadata declares no required credentials or binaries while the runtime docs explicitly instruct the user/agent to run 'gcloud auth application-default login' or export STITCH_API_KEY and to invoke 'npx n2-stitch-mcp' — credentials and an external package are needed in practice but not declared in the registry metadata.

⚠ Instruction Scope

Runtime instructions ask the agent/user to perform Google ADC login and/or set an API key, and to add an MCP entry that runs 'npx n2-stitch-mcp'. These steps grant the skill access to credentials (ADC) and allow dynamic download/execution of remote code. The SKILL.md also references 'auto-discovered' Stitch API tools and virtual tools, but provides no in-bundle code to implement them, giving broad discretion to whatever the npx package does.

⚠ Install Mechanism

There is no install spec in the bundle, but the instructions rely on 'npx' to fetch and run the npm package at runtime. That means arbitrary code will be pulled from the npm registry when the MCP server is launched — a higher-risk install mechanism because the package fetched at runtime may differ from what's described and the skill bundle contains no code to audit.

⚠ Credentials

The SKILL.md instructs use of Google application-default credentials (gcloud ADC) or an STITCH_API_KEY, but the registry metadata lists no required env vars or primary credential. ADC via gcloud can expose broad Google Cloud permissions beyond Stitch if the logged-in identity is overprivileged. The required secrets are not declared in the skill metadata, so there is a mismatch between claimed requirements and actual instructions.

✓ Persistence & Privilege

The skill is not marked always:true and does not request system-wide privileges in metadata. It instructs adding an MCP server entry (its own config) which is a normal plugin installation pattern. This is expected for MCP-style proxies.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install n2-stitch-mcp
After installation, invoke the skill by name or use /n2-stitch-mcp
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release of n2-stitch-mcp. - Provides a resilient MCP proxy for Google Stitch with 3-layer safety: auto-retry, token refresh, and TCP drop recovery. - Includes advanced features like auto-polling, exponential backoff, background token refresh, and real-time generation status checks. - Supports all essential Stitch API actions plus exclusive virtual tools for tracking generation progress. - Extensive test suite included for reliability.

Metadata

Slug n2-stitch-mcp

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is N2 Stitch MCP?

Resilient MCP proxy for Google Stitch — 3-layer safety (auto-retry, token refresh, TCP drop recovery). It is an AI Agent Skill for Claude Code / OpenClaw, with 891 downloads so far.

How do I install N2 Stitch MCP?

Run "/install n2-stitch-mcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is N2 Stitch MCP free?

Yes, N2 Stitch MCP is completely free (open-source). You can download, install and use it at no cost.

Which platforms does N2 Stitch MCP support?

N2 Stitch MCP is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created N2 Stitch MCP?

It is built and maintained by choihyunsus (@choihyunsus); the current version is v1.0.0.

More Skills