stitch-skills

SUSPICIOUS: The core UI-design and screen-to-code capabilities are coherent with the stated purpose, and the Stitch-related data flow appears proportionate. The main risk is transitive trust: this skill instructs the agent to install additional skills via npx, including from an unrelated third-party GitHub repo, which expands the execution surface beyond the publisher and raises supply-chain risk. No strong evidence of credential theft or clearly malicious exfiltration is present, but the install footprint is broader than necessary.