Scan Report
5 /100
stitch-design-agent
Skill for integrating Google Stitch designs into apps via OAuth authentication and API calls
This is a documentation-only skill that describes a legitimate Google Stitch design integration workflow with all capabilities properly declared in SKILL.md.
Safe to install
No action required. The skill consists solely of documentation describing standard OAuth authentication and build tool usage.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md lines 94-102 describe fs.writeFileSync usage |
| Network | READ | READ | ✓ Aligned | SKILL.md lines 46-68 describe OAuth and API calls to Google endpoints |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md lines 109-113 describe execSync calls for build tools |
1 findings
Medium External URL 外部 URL
https://accounts.google.com/o/oauth2/v2/auth SKILL.md:39 File Tree
1 files · 7.4 KB · 256 lines Markdown 1f · 256L
└─
SKILL.md
Markdown
Security Positives
✓ All capabilities explicitly declared in SKILL.md documentation
✓ No executable code or scripts present - documentation only
✓ OAuth flow uses legitimate Google endpoints (accounts.google.com, oauth2.googleapis.com)
✓ Stitch API endpoint is a legitimate Google service (stitch.googleapis.com)
✓ File operations scoped to feature-specific paths (src/components/)
✓ Shell commands limited to standard development tools (npm, npx, tsc, grep)
✓ No obfuscation, base64 encoding, or suspicious patterns detected
✓ No credential harvesting or exfiltration behavior
✓ No sensitive path access (~/.ssh, ~/.aws, .env files not accessed)