ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Context7 Cli

v0.1.0

Manage Context7 via CLI - search libraries, get documentation context. Use when user mentions 'context7', 'library docs', 'documentation context', or wants t...

0· 198·2 current·2 all-time
byMelvyn@melvynx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to manage Context7 docs via a CLI and the SKILL.md only instructs installing/using a context7-cli and setting a Context7 API key (ctx7sk...). Requested capabilities (API key, CLI install) match the stated purpose.
Instruction Scope
Runtime instructions stay on-topic (search libs, get docs, use --json). They do not instruct reading unrelated files or exfiltrating data. Note: the README includes installation steps (curl | bash and npx api2cli) which run networked installers — that alters system state and is outside pure runtime doc lookups, but is still within installing a CLI.
!
Install Mechanism
There is no packaged install in the registry; the SKILL.md tells users to run 'npx api2cli install Melvynx/context7-cli' or to install bun via 'curl -fsSL https://bun.sh/install | bash' and then run npx bundle/link. Piping a script from the network to bash and pulling packages with npx are common but higher-risk supply-chain actions — verify the source and repository before running.
Credentials
The skill does not declare or require environment variables or unrelated credentials. It expects the user to obtain a Context7 API key and set it in the CLI, which is appropriate for this purpose.
Persistence & Privilege
always is false and there is no install spec that forces persistent system-wide changes beyond installing a CLI into the user's environment. The skill does not request special privileges or modify other skills' configs.
Assessment
This skill appears to be what it says: a wrapper around the Context7 CLI. Before installing, verify you trust the Context7 project and the GitHub repo named (Melvynx/context7-cli). Be cautious about running 'curl ... | bash' (installs bun) and about npx pulling packages — these execute remote code on your machine. Prefer checking the repo contents manually (review source or releases), run installs in a sandbox or VM if unsure, and create/revoke API keys from your Context7 dashboard if you need to rotate access. If you prefer, ask the skill author for a signed release or a package manager distribution instead of running remote install scripts.

Like a lobster shell, security has layers — review code before you run it.

latestvk974dwb1az9wy5xq2rvfgwydpx82w05r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments