stitch-sdk-development
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the user to run local project scripts using
bunandnpx(e.g.,bun scripts/generate-sdk.ts,npx vitest). These commands are standard for the described development workflow of building and testing the SDK. - [CREDENTIALS_UNSAFE]: References the use of
STITCH_API_KEYandSTITCH_ACCESS_TOKEN. The skill correctly advises reading these from environment variables rather than hardcoding them, which is a standard security best practice for SDKs. - [EXTERNAL_DOWNLOADS]: Mentions connecting to a Stitch MCP server to retrieve tool schemas for code generation. This is a core functional requirement of the SDK's generation pipeline and targets the vendor's own infrastructure.
- [DYNAMIC_EXECUTION]: Describes a pipeline that generates TypeScript classes from JSON schemas (MCP tools). While this involves generating executable code, the process is described as deterministic template expansion with integrity checks (SHA-256 hashing in
stitch-sdk.lock) to ensure consistency.
Audit Metadata