← Back to Skills Marketplace
StitchFlow
by
yshishenya
· GitHub ↗
· v1.3.0
· MIT-0
217
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install stitchflow
Description
Turn briefs, mockups, and product context into Stitch UI screens, design variants, Tailwind-friendly HTML, and screenshots. Use when the user wants to explor...
Usage Guidance
This skill appears to be a local CLI wrapper that needs a local 'stitch-starter' toolkit and a STITCH_API_KEY stored in a .env file. Before installing or using it: 1) Inspect the GitHub repository and the install.sh script yourself to ensure no unexpected commands (network exfiltration, chmod +x of unknown binaries, downloading from untrusted URLs). 2) Keep the STITCH_API_KEY scoped with least privilege for just the Stitch service, and consider providing it via a dedicated environment variable or secret manager rather than a shared .env if you have other secrets in that folder. 3) Run the installer and CLI inside an isolated environment (container or VM) until you verify behavior. 4) Verify outputs and any network calls (e.g., via network monitoring) the first few runs. 5) Ask the skill author to update registry metadata to declare required env vars and an explicit, verifiable install source — that will make the skill's requirements coherent and easier to audit.
Capability Analysis
Type: OpenClaw Skill
Name: stitchflow
Version: 1.3.0
The skill bundle is designed for UI generation but contains a significant shell injection vulnerability. The instructions in SKILL.md and references/cli-usage.md direct the agent to execute shell commands (e.g., 'npm run generate -- --prompt "..."') using user-provided input that has been rewritten by the AI. There is no mention of shell-escaping or sanitization, which could allow an attacker to execute arbitrary commands via prompt injection. Additionally, SKILL.md references an external installation script (install.sh) that is not provided in the bundle, which is a common vector for supply-chain risks.
Capability Assessment
Purpose & Capability
The skill's purpose (generate Stitch UI screens using a local 'stitch-starter' toolkit) aligns with the instructions in SKILL.md. However, SKILL.md claims the tool "Requires Node.js 22+, a configured STITCH_API_KEY, and the local stitch-starter toolkit installed by this repository," while the registry metadata lists no required env vars or install steps. That metadata/instruction mismatch is inconsistent and should be corrected.
Instruction Scope
The instructions explicitly tell the agent to cd into a local toolkit root, inspect the user's project for UI/context, and rely on a .env file containing STITCH_API_KEY. Inspecting the user's codebase and reading the toolkit's .env are reasonable for a local CLI-based design tool, but they are sensitive operations. The SKILL.md does state 'Never print or expose STITCH_API_KEY or .env contents,' but the agent still needs access to those files to operate, which increases risk if the install/run environment is not trusted.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md includes an 'install: "bash install.sh --target all"' directive and says the repository installs a local starter toolkit. Because this is instruction-only (no bundled code), the actual install would come from external repo/script. Running an arbitrary install.sh has non-trivial risk unless the user inspects the script and repository. The homepage is a GitHub URL (helpful), but the skill provides no packaged, vetted install source in metadata.
Credentials
SKILL.md requires a STITCH_API_KEY (expected in the toolkit .env) and Node.js 22+, but the registry lists no required env vars or primary credential. Requesting a single service API key for the tool is proportionate to the stated purpose, but the omission from declared requirements is a red flag. Also the agent will read the toolkit folder and latest-screen.json; if that folder contains other secrets, they could be exposed accidentally. The skill does not request unrelated credentials, but it implicitly accesses local config files.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not claim to modify other skills or system-wide settings. It writes artifacts into a local runs folder within the toolkit root, which is consistent with its stated purpose.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install stitchflow - After installation, invoke the skill by name or use
/stitchflow - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.0
Canonical skill slug is now stitchflow. Added safe migration from stitch-design-local.
Metadata
Frequently Asked Questions
What is StitchFlow?
Turn briefs, mockups, and product context into Stitch UI screens, design variants, Tailwind-friendly HTML, and screenshots. Use when the user wants to explor... It is an AI Agent Skill for Claude Code / OpenClaw, with 217 downloads so far.
How do I install StitchFlow?
Run "/install stitchflow" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is StitchFlow free?
Yes, StitchFlow is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does StitchFlow support?
StitchFlow is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created StitchFlow?
It is built and maintained by yshishenya (@yshishenya); the current version is v1.3.0.
More Skills