Context7 API Documentation Fetcher
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests may run under an unknown embedded credential with unclear ownership, quota, billing, revocation, or tracking implications.
The code authenticates every Context7 request with either an undeclared environment variable or a hardcoded bearer key, despite the registry declaring no required env vars and no primary credential.
API_KEY = os.environ.get("CONTEXT7_API_KEY", "ctx7sk-d6069954-...") ... headers = {"Authorization": f"Bearer {API_KEY}"}Remove the embedded key or clearly document it; preferably require users to provide their own Context7 key through a declared environment variable.
Library names and query text from coding tasks may be sent to Context7 more often than a user expects.
The instruction encourages broad autonomous use of the helper whenever libraries are involved; this fits the stated purpose, but it expands when the agent may contact the external Context7 API.
Use PROACTIVELY when: (1) Working with ANY external library ... Always prefer this over guessing library APIs
Use the skill for documentation lookups, but avoid including secrets, proprietary code details, or sensitive project information in documentation queries.