← 返回 Skills 市场
N2 Stitch MCP
作者
choihyunsus
· GitHub ↗
· v1.0.0
891
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install n2-stitch-mcp
功能描述
Resilient MCP proxy for Google Stitch — 3-layer safety (auto-retry, token refresh, TCP drop recovery).
安全使用建议
This skill appears to be what it says (a Stitch MCP proxy) but the instructions rely on downloading and running an npm package via npx and on Google ADC/API keys that are not declared in the registry metadata. Before installing or invoking it:
- Inspect the npm package and the GitHub repo (https://github.com/choihyunsus/n2-stitch-mcp) to verify the code matches the described behavior and contains no unexpected network/credential exfiltration.
- Avoid using broad Google ADC with high-privilege accounts; prefer a minimal-scope service account or a Stitch-only API key limited to necessary operations.
- Consider pinning the package to a specific, audited version rather than using unfrozen npx pulls.
- Run the MCP proxy in an isolated environment (container or sandbox) until you have audited it.
- If possible, ask the publisher to include an install spec or the code in the bundle so it can be statically reviewed rather than relying on runtime npx fetch.
Because of the mismatch between metadata and runtime instructions and the runtime fetching of code, treat this skill with caution unless you can audit the external package and credential scopes first.
功能分析
Type: OpenClaw Skill
Name: n2-stitch-mcp
Version: 1.0.0
The `SKILL.md` file instructs the OpenClaw agent to execute an external npm package via `npx -y n2-stitch-mcp`. This command fetches and runs code from the npm registry, introducing a significant supply chain risk and a potential remote code execution vulnerability if the external package were compromised or malicious. While the stated purpose is to provide a resilient proxy, the method of execution involves running arbitrary external code, which is a high-risk behavior.
能力评估
Purpose & Capability
The skill claims to be a resilient proxy for Google Stitch and the SKILL.md describes behavior consistent with that purpose (token refresh, retries, generation tracking). However the skill metadata declares no required credentials or binaries while the runtime docs explicitly instruct the user/agent to run 'gcloud auth application-default login' or export STITCH_API_KEY and to invoke 'npx n2-stitch-mcp' — credentials and an external package are needed in practice but not declared in the registry metadata.
Instruction Scope
Runtime instructions ask the agent/user to perform Google ADC login and/or set an API key, and to add an MCP entry that runs 'npx n2-stitch-mcp'. These steps grant the skill access to credentials (ADC) and allow dynamic download/execution of remote code. The SKILL.md also references 'auto-discovered' Stitch API tools and virtual tools, but provides no in-bundle code to implement them, giving broad discretion to whatever the npx package does.
Install Mechanism
There is no install spec in the bundle, but the instructions rely on 'npx' to fetch and run the npm package at runtime. That means arbitrary code will be pulled from the npm registry when the MCP server is launched — a higher-risk install mechanism because the package fetched at runtime may differ from what's described and the skill bundle contains no code to audit.
Credentials
The SKILL.md instructs use of Google application-default credentials (gcloud ADC) or an STITCH_API_KEY, but the registry metadata lists no required env vars or primary credential. ADC via gcloud can expose broad Google Cloud permissions beyond Stitch if the logged-in identity is overprivileged. The required secrets are not declared in the skill metadata, so there is a mismatch between claimed requirements and actual instructions.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges in metadata. It instructs adding an MCP server entry (its own config) which is a normal plugin installation pattern. This is expected for MCP-style proxies.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install n2-stitch-mcp - 安装完成后,直接呼叫该 Skill 的名称或使用
/n2-stitch-mcp触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of n2-stitch-mcp.
- Provides a resilient MCP proxy for Google Stitch with 3-layer safety: auto-retry, token refresh, and TCP drop recovery.
- Includes advanced features like auto-polling, exponential backoff, background token refresh, and real-time generation status checks.
- Supports all essential Stitch API actions plus exclusive virtual tools for tracking generation progress.
- Extensive test suite included for reliability.
元数据
常见问题
N2 Stitch MCP 是什么?
Resilient MCP proxy for Google Stitch — 3-layer safety (auto-retry, token refresh, TCP drop recovery). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 891 次。
如何安装 N2 Stitch MCP?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install n2-stitch-mcp」即可一键安装,无需额外配置。
N2 Stitch MCP 是免费的吗?
是的,N2 Stitch MCP 完全免费(开源免费),可自由下载、安装和使用。
N2 Stitch MCP 支持哪些平台?
N2 Stitch MCP 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 N2 Stitch MCP?
由 choihyunsus(@choihyunsus)开发并维护,当前版本 v1.0.0。
推荐 Skills