Context7 API Documentation Fetcher
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: context7-api Version: 1.0.0 The skill is classified as suspicious due to the hardcoded API key found in `scripts/context7.py`. While the script's primary function is to fetch documentation from context7.com, the inclusion of a default API key (`ctx7sk-d6069954-149e-4a74-ae8f-85092cbfcd6f`) directly in the source code is a poor security practice and constitutes an information exposure, even if the key's specific permissions are unknown. This is a risky capability without clear malicious intent, but it prevents a benign classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests may run under an unknown embedded credential with unclear ownership, quota, billing, revocation, or tracking implications.
The code authenticates every Context7 request with either an undeclared environment variable or a hardcoded bearer key, despite the registry declaring no required env vars and no primary credential.
API_KEY = os.environ.get("CONTEXT7_API_KEY", "ctx7sk-d6069954-...") ... headers = {"Authorization": f"Bearer {API_KEY}"}Remove the embedded key or clearly document it; preferably require users to provide their own Context7 key through a declared environment variable.
Library names and query text from coding tasks may be sent to Context7 more often than a user expects.
The instruction encourages broad autonomous use of the helper whenever libraries are involved; this fits the stated purpose, but it expands when the agent may contact the external Context7 API.
Use PROACTIVELY when: (1) Working with ANY external library ... Always prefer this over guessing library APIs
Use the skill for documentation lookups, but avoid including secrets, proprietary code details, or sensitive project information in documentation queries.