stitch-setup

SUSPICIOUS: the stated purpose is plausible and official Google endpoints are used for the MCP service, but the setup also asks users to trust unrelated third-party components: an NPX installer that may collect the API key and a separate GitHub-hosted skill/plugin repo. Those extra install paths are not clearly necessary for basic Stitch MCP setup and create supply-chain and transitive-trust risk disproportionate to a simple configuration guide.