Find Docs

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed documentation lookup helper that uses the Context7 CLI; its main risk is sending technical queries to an external service.

Install this only if you are comfortable with an agent running the Context7 npm CLI and sending sanitized documentation-style queries to Context7. Do not use it with API keys, passwords, private source code, customer data, or confidential architecture details in the query text; authenticate with Context7 only if you need higher limits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The skill’s activation guidance is extremely broad: it says to use this skill for virtually any technical question, code generation task, debugging scenario, or documentation lookup involving external technologies. That can cause over-triggering, increasing unnecessary external lookups, data exposure risk in queries, and dependence on a third-party tool even when not needed. In this context, the skill is documentation-focused rather than overtly harmful, which lowers the severity, but the breadth still creates a real security and privacy concern if user prompts or proprietary context are sent out too readily.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal