← Back to Skills Marketplace
258
Downloads
1
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install stitch-design-agent
Description
Skill for an agent that integrates designs generated by Google Stitch directly into an app under development. Use this skill whenever the agent needs to: aut...
Usage Guidance
Before installing, confirm the skill's origin (homepage/owner) and ask the publisher to fix the metadata to list STITCH_TOKEN (and any service-account key) as required. Do not grant a token with the cloud-platform scope unless you understand and accept the broad GCP privileges; prefer a least-privilege scope if Stitch exposes one. Expect the agent to write files into your repo and run build/lint commands — run this in a sandbox or on a branch, review generated code before committing, and ensure CI/linters/tests gate commits. If using a service account, store keys securely and restrict them to only the APIs needed. If the publisher cannot justify the scopes/credentials or provide a trustworthy homepage/source, treat the skill with caution and avoid installing it in production environments.
Capability Analysis
Type: OpenClaw Skill
Name: stitch-design-agent
Version: 1.0.2
The skill requests an overly broad Google OAuth scope (cloud-platform) for a UI design task and utilizes high-risk capabilities including arbitrary shell execution (bash), file system modification (file_write), and external network requests. While the workflow in SKILL.md aligns with the stated purpose of integrating AI-generated designs, the combination of broad permissions and the potential for Remote Code Execution via the integration of unvetted code from an external API (stitch.googleapis.com) poses a significant security risk. No clear evidence of intentional malice or data exfiltration was found, but the over-privileged scope and execution capabilities warrant a suspicious classification.
Capability Assessment
Purpose & Capability
The SKILL.md clearly requires a STITCH_TOKEN (Google OAuth token / service account key) and describes writing code into the active project; however the registry metadata lists no required env vars, no primary credential, and no config paths. That mismatch (declared zero credentials vs. SKILL.md requiring STITCH_TOKEN and optionally service-account keys) is incoherent and should be corrected before trusting the skill.
Instruction Scope
Instructions direct the agent to read process.env.STITCH_TOKEN, call an external API, create files under src/components/*.tsx, scan the repo (grep), inject imports/JSX, and run build/lint commands (npx tsc, npm run lint). Those actions are consistent with the stated integration purpose but they grant the skill broad ability to modify the user's codebase and run tooling — the SKILL.md also implies handling service-account private material. The instructions access secrets and modify source; that is expected but high-impact and not reflected in metadata.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk-side risk since nothing is downloaded or installed by the skill itself.
Credentials
The SKILL.md requires a STITCH_TOKEN and suggests requesting the OAuth scope https://www.googleapis.com/auth/cloud-platform. cloud-platform is very broad (access across GCP) and likely overprivileged for a single Stitch API; service-account flows imply private keys. These sensitive credentials are not declared in the registry metadata. Requesting wide-scope OAuth tokens without justification is disproportionate.
Persistence & Privilege
The skill is not marked always:true and does not claim to modify other skills or system-wide settings. It will write into the active project and run local build tools, which is expected for its purpose but should be an explicit, user-approved capability.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install stitch-design-agent - After installation, invoke the skill by name or use
/stitch-design-agent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Version 1.0.2 of stitch-design-agent is a documentation update with improved clarity, translation, and expanded usage notes:
- SKILL.md rewritten from Spanish to English.
- OAuth scope and API instructions clarified.
- Usage triggers and configuration extended for broader detection.
- Multiple new and more precise agent usage notes added, including guidance for working with design systems and theme variables.
- No functional or file changes—documentation only.
v1.0.1
No functional or content changes in this release.
- Version bump to 1.0.1.
- No file or documentation changes detected.
v1.0.0
stitch-design-agent 1.0.0
- Initial release of the stitch-design-agent skill.
- Includes core documentation and project structure in SKILL.md.
Metadata
Frequently Asked Questions
What is Stitch Design Agent?
Skill for an agent that integrates designs generated by Google Stitch directly into an app under development. Use this skill whenever the agent needs to: aut... It is an AI Agent Skill for Claude Code / OpenClaw, with 258 downloads so far.
How do I install Stitch Design Agent?
Run "/install stitch-design-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Stitch Design Agent free?
Yes, Stitch Design Agent is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Stitch Design Agent support?
Stitch Design Agent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Stitch Design Agent?
It is built and maintained by duvanCode (@duvancode); the current version is v1.0.2.
More Skills