Context7 API Documentation Fetcher
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill generally matches its documentation-fetching purpose, but it uses an undeclared hardcoded Context7 bearer API key, so users should review it before installing.
Before installing, review the embedded Context7 API key. Prefer using your own declared CONTEXT7_API_KEY, and be aware that documentation search terms are sent to Context7. Avoid putting secrets or sensitive proprietary details into queries.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests may run under an unknown embedded credential with unclear ownership, quota, billing, revocation, or tracking implications.
The code authenticates every Context7 request with either an undeclared environment variable or a hardcoded bearer key, despite the registry declaring no required env vars and no primary credential.
API_KEY = os.environ.get("CONTEXT7_API_KEY", "ctx7sk-d6069954-...") ... headers = {"Authorization": f"Bearer {API_KEY}"}Remove the embedded key or clearly document it; preferably require users to provide their own Context7 key through a declared environment variable.
Library names and query text from coding tasks may be sent to Context7 more often than a user expects.
The instruction encourages broad autonomous use of the helper whenever libraries are involved; this fits the stated purpose, but it expands when the agent may contact the external Context7 API.
Use PROACTIVELY when: (1) Working with ANY external library ... Always prefer this over guessing library APIs
Use the skill for documentation lookups, but avoid including secrets, proprietary code details, or sensitive project information in documentation queries.