← 返回 Skills 市场
StitchFlow
作者
yshishenya
· GitHub ↗
· v1.3.0
· MIT-0
217
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install stitchflow
功能描述
Turn briefs, mockups, and product context into Stitch UI screens, design variants, Tailwind-friendly HTML, and screenshots. Use when the user wants to explor...
安全使用建议
This skill appears to be a local CLI wrapper that needs a local 'stitch-starter' toolkit and a STITCH_API_KEY stored in a .env file. Before installing or using it: 1) Inspect the GitHub repository and the install.sh script yourself to ensure no unexpected commands (network exfiltration, chmod +x of unknown binaries, downloading from untrusted URLs). 2) Keep the STITCH_API_KEY scoped with least privilege for just the Stitch service, and consider providing it via a dedicated environment variable or secret manager rather than a shared .env if you have other secrets in that folder. 3) Run the installer and CLI inside an isolated environment (container or VM) until you verify behavior. 4) Verify outputs and any network calls (e.g., via network monitoring) the first few runs. 5) Ask the skill author to update registry metadata to declare required env vars and an explicit, verifiable install source — that will make the skill's requirements coherent and easier to audit.
功能分析
Type: OpenClaw Skill
Name: stitchflow
Version: 1.3.0
The skill bundle is designed for UI generation but contains a significant shell injection vulnerability. The instructions in SKILL.md and references/cli-usage.md direct the agent to execute shell commands (e.g., 'npm run generate -- --prompt "..."') using user-provided input that has been rewritten by the AI. There is no mention of shell-escaping or sanitization, which could allow an attacker to execute arbitrary commands via prompt injection. Additionally, SKILL.md references an external installation script (install.sh) that is not provided in the bundle, which is a common vector for supply-chain risks.
能力评估
Purpose & Capability
The skill's purpose (generate Stitch UI screens using a local 'stitch-starter' toolkit) aligns with the instructions in SKILL.md. However, SKILL.md claims the tool "Requires Node.js 22+, a configured STITCH_API_KEY, and the local stitch-starter toolkit installed by this repository," while the registry metadata lists no required env vars or install steps. That metadata/instruction mismatch is inconsistent and should be corrected.
Instruction Scope
The instructions explicitly tell the agent to cd into a local toolkit root, inspect the user's project for UI/context, and rely on a .env file containing STITCH_API_KEY. Inspecting the user's codebase and reading the toolkit's .env are reasonable for a local CLI-based design tool, but they are sensitive operations. The SKILL.md does state 'Never print or expose STITCH_API_KEY or .env contents,' but the agent still needs access to those files to operate, which increases risk if the install/run environment is not trusted.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md includes an 'install: "bash install.sh --target all"' directive and says the repository installs a local starter toolkit. Because this is instruction-only (no bundled code), the actual install would come from external repo/script. Running an arbitrary install.sh has non-trivial risk unless the user inspects the script and repository. The homepage is a GitHub URL (helpful), but the skill provides no packaged, vetted install source in metadata.
Credentials
SKILL.md requires a STITCH_API_KEY (expected in the toolkit .env) and Node.js 22+, but the registry lists no required env vars or primary credential. Requesting a single service API key for the tool is proportionate to the stated purpose, but the omission from declared requirements is a red flag. Also the agent will read the toolkit folder and latest-screen.json; if that folder contains other secrets, they could be exposed accidentally. The skill does not request unrelated credentials, but it implicitly accesses local config files.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not claim to modify other skills or system-wide settings. It writes artifacts into a local runs folder within the toolkit root, which is consistent with its stated purpose.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install stitchflow - 安装完成后,直接呼叫该 Skill 的名称或使用
/stitchflow触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.0
Canonical skill slug is now stitchflow. Added safe migration from stitch-design-local.
元数据
常见问题
StitchFlow 是什么?
Turn briefs, mockups, and product context into Stitch UI screens, design variants, Tailwind-friendly HTML, and screenshots. Use when the user wants to explor... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 217 次。
如何安装 StitchFlow?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install stitchflow」即可一键安装,无需额外配置。
StitchFlow 是免费的吗?
是的,StitchFlow 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
StitchFlow 支持哪些平台?
StitchFlow 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 StitchFlow?
由 yshishenya(@yshishenya)开发并维护,当前版本 v1.3.0。
推荐 Skills