stitch-vue-layui-components

The skill legitimately aims to convert Stitch designs into Vue 3 + Layui-Vue components and the documented workflow fits that purpose. However, it contains several supply-chain and execution risks: reliance on a repository-provided shell script to fetch remote HTML without showing or verifying its contents, absence of integrity checks for downloaded assets, broad allowed-tool permissions, and recommendation to install npm dependencies without version pinning. These increase the chance of compromise if an attacker controls the exported URLs or repository scripts. Recommended mitigations: require review and audit of scripts/fetch-stitch.sh and other resources before execution; add checksums/signatures or use authenticated APIs/SDKs to fetch design assets; sanitize and avoid saving URLs that include tokens; pin or audit npm dependencies and use lockfiles; constrain tool permissions where possible. With these mitigations the risk is materially reduced.