Context7 Documentation Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Context7 documentation lookup skill; the main things to notice are disclosed external API use, optional API-key use, and under-declared curl/jq requirements in registry metadata.
Before installing, be comfortable with the agent sending documentation questions to context7.com. Do not include secrets, private code, or credentials in queries. If you set CONTEXT7_API_KEY, use a Context7-specific key and keep it private. Also make sure curl and jq are installed, since registry metadata does not list them even though the skill requires them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not work unless curl and jq are installed, and the install UI may not clearly surface that it uses internet access.
The skill discloses local binary and network requirements, but the registry requirements/capability signals list none, so the install metadata may understate what the skill needs.
compatibility: Requires curl, jq, and internet access. Optional CONTEXT7_API_KEY env var for higher rate limits.
Ensure curl and jq are available from trusted system packages, and treat the metadata gap as an install transparency issue rather than hidden behavior.
If a query contains private code, credentials, or sensitive project details, that information could be sent to Context7.
The user's documentation query and selected library ID are sent to the external Context7 API.
PAYLOAD=$(jq -n --arg query "$QUERY" --arg libraryId "$LIBRARY_ID" '{query: $query, libraryId: $libraryId}') ... curl ... "${API_BASE}/context" ... -d "$PAYLOAD"Use short, non-sensitive documentation queries and follow the skill's instruction not to include API keys, passwords, credentials, or personal data.
A Context7 API key, if configured, is used for this service's requests; the artifacts do not show logging or unrelated use of the key.
The script reads an optional Context7 API key from the environment and sends it as a bearer token to Context7.
if [[ -n "${CONTEXT7_API_KEY:-}" ]]; then
AUTH_HEADER="Authorization: Bearer $CONTEXT7_API_KEY"
fiUse a Context7-specific key with the minimum needed access, keep it out of prompts and shared logs, and rotate it if exposed.