stitchflow
Transforms briefs and mockups into UI screens and Tailwind-friendly HTML, enhancing design workflows with natural language input.
Install this skill
Security score
The stitchflow skill was audited on Mar 19, 2026 and we found 8 security issues across 2 threat categories, including 6 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 19 | It uses the local toolkit at `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}` instead of a Stitch MCP tool. |
Template literal with variable interpolation in command context
| 23 | - Toolkit root: `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}` |
Template literal with variable interpolation in command context
| 24 | - API key is expected in `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/.env` |
Template literal with variable interpolation in command context
| 25 | - Outputs are saved to `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/runs` |
Template literal with variable interpolation in command context
| 26 | - The latest single-screen result is tracked in `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/runs/latest-screen.json` |
Template literal with variable interpolation in command context
| 96 | - the output folder under `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/runs` |
Access to .env file
| 24 | - API key is expected in `${STITCH_STARTER_ROOT:-$HOME/.agents/stitch-starter}/.env` |
Access to .env file
| 53 | 7. Never print or expose `STITCH_API_KEY` or `.env` contents. |
Install this skill with one command
/learn @yshishenya/stitchflow