Context7 Cli
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Context7 documentation helper, but users should notice that setup installs external CLI tooling and authentication uses a Context7 API key.
Before installing, confirm you trust the Context7 CLI and Bun installation sources, run setup commands intentionally, and use a revocable Context7 API key. The documented behavior is otherwise consistent with a documentation-search helper.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this could run code supplied by an external project rather than code reviewed in this skill package.
The setup directs installation of an external GitHub-hosted CLI that is not included in the artifact manifest or pinned to a specific version.
npx api2cli install Melvynx/context7-cli
Install only if you trust the Context7 CLI source, and prefer a pinned or reviewed release when available.
Running the setup command can execute remote installation code on the local machine.
The documented fallback setup uses a downloaded shell installer, which is a normal but sensitive way to install local tooling.
bun --version || curl -fsSL https://bun.sh/install | bash
Review the installer source and run the setup manually only when you intend to install Bun and the Context7 CLI.
The CLI will be able to use the configured Context7 account key for documentation requests.
The skill asks the user to configure a Context7 API key even though registry metadata lists no primary credential.
context7-cli auth set "your-ctx7sk-api-key"
Use a dedicated or revocable Context7 API key and avoid sharing the key in prompts, logs, or screenshots.