Context7 API Documentation Fetcher

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it embeds and automatically uses a hardcoded Context7 API key without disclosing that to users.

Review before installing. The skill is narrowly aimed at fetching documentation from Context7, but it will use an embedded API key if you do not provide CONTEXT7_API_KEY. Prefer a version that removes the fallback key, requires your own configured key, and clearly documents what queries are sent to Context7.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code embeds a live-looking fallback API key directly in source, which exposes a secret to anyone with repository or package access and allows unintended use of the associated account. In a skill that automatically fetches external documentation, this creates unauthorized credential use and potential billing, quota exhaustion, or account abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal