ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Context7 API Documentation Fetcher

Fetch up-to-date library documentation via Context7 API. Use PROACTIVELY when: (1) Working with ANY external library (React, Next.js, Supabase, etc.) (2) User asks about library APIs, patterns, or best practices (3) Implementing features that rely on third-party packages (4) Debugging library-specific issues (5) Need current documentation beyond training data cutoff Always prefer this over guessing library APIs or using outdated knowledge.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.9k · 7 current installs · 7 all-time installs
by@am-will
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description match the included script: the tool queries context7.com for library docs. However the skill metadata declares no required credentials or env vars while the script expects CONTEXT7_API_KEY (and falls back to a hardcoded key). The missing declaration of the API credential is an incoherence.
Instruction Scope
SKILL.md instructs running the packaged script to search and fetch context; it does not direct reading unrelated local files or other secrets. But the instructions omit any mention of setting CONTEXT7_API_KEY or the presence of a default key, which may cause silent use of the embedded key when run.
Install Mechanism
No install spec; this is an instruction-only skill with a local Python script. No external download/install step is present, which minimizes install-time risk.
!
Credentials
The code reads an environment variable CONTEXT7_API_KEY but the skill metadata lists no required env vars or primary credential. Worse, the script embeds a default API key in source — embedding credentials in code is inappropriate and increases risk (key leakage, abuse, or unexpected shared usage).
Persistence & Privilege
The skill does not request permanent presence (always:false) and doesn't attempt to modify other skills or system-wide settings. It runs as an on-demand CLI client.
Scan Findings in Context
[hardcoded_api_key] unexpected: The Python script contains a hardcoded default API key (API_KEY default value). For a client that should rely on a user-provided API key this is unexpected and risky: the embedded key could be expired, shared, or abused.
[undeclared_env_var_usage] unexpected: The code reads CONTEXT7_API_KEY from the environment, but the skill's metadata does not declare any required environment variables or primary credential; the SKILL.md also fails to instruct the user to set this variable.
What to consider before installing
This skill appears to be what it says (a Context7 API client), but it has two issues you should consider before installing or using it: - Hardcoded API key: The script contains a default API key baked into source. That key could be shared, revoked, or abused. Do not assume it's safe to use — prefer to set your own CONTEXT7_API_KEY in your environment and remove the embedded key from the copy you run. - Undeclared credential requirement: The skill metadata and SKILL.md do not mention the required CONTEXT7_API_KEY. Ask the publisher: who owns the default key and should you be using it? Ideally the skill should require you to provide your own key and document how to obtain it. - Data exposure: The script sends queries and potentially code/queries to an external service (context7.com). Avoid sending sensitive secrets or full source files in queries. Review Context7's privacy policy and ensure you trust the endpoint before sending proprietary code or credentials. Recommended actions: 1) Request the skill author to remove the hardcoded key and update SKILL.md to declare CONTEXT7_API_KEY as required and explain how to get one. 2) If you must use the skill now, set CONTEXT7_API_KEY in your environment to a key you control and sanitize any queries to avoid leaking secrets. 3) If you cannot verify the origin/ownership of the embedded key or the service, do not use the default key and consider not installing the skill until the author provides clarification.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk977j3tt8e8k1caz0tczf2b45s7zdn37

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Context7 Documentation Fetcher

Retrieve current library documentation via Context7 API.

Workflow

1. Search for the library

python3 ~/.claude/skills/context7/scripts/context7.py search "<library-name>"

Example:

python3 ~/.claude/skills/context7/scripts/context7.py search "next.js"

Returns library metadata including the id field needed for step 2.

2. Fetch documentation context

python3 ~/.claude/skills/context7/scripts/context7.py context "<library-id>" "<query>"

Example:

python3 ~/.claude/skills/context7/scripts/context7.py context "/vercel/next.js" "app router middleware"

Options:

  • --type txt|md - Output format (default: txt)
  • --tokens N - Limit response tokens

Quick Reference

TaskCommand
Find React docssearch "react"
Get React hooks infocontext "/facebook/react" "useEffect cleanup"
Find Supabasesearch "supabase"
Get Supabase authcontext "/supabase/supabase" "authentication row level security"

When to Use

  • Before implementing any library-dependent feature
  • When unsure about current API signatures
  • For library version-specific behavior
  • To verify best practices and patterns

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…