Context7 MCP
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a straightforward Context7 documentation-search CLI, with expected notes around API-key use, external queries, and npm dependencies.
This skill appears safe to install if you are comfortable using Context7. Before using it, create a dedicated Context7 API key, keep the .env file private, avoid putting secrets or confidential project details in search questions, and treat returned documentation as reference material rather than trusted instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will use your Context7 API key for documentation-search requests.
The code reads a Context7 API key and uses it to authenticate API requests. This is expected for the documented service, but it is still delegated credential use.
let API_KEY = process.env.CONTEXT7_API_KEY; ... "Authorization": `Bearer ${API_KEY}`Use a dedicated Context7 key, keep the .env file private, and update the skill metadata to declare CONTEXT7_API_KEY.
If a user includes secrets, private code details, or confidential project information in the question, those details may be sent to Context7.
The skill intentionally sends the user's query to the Context7 API for better ranking. This is purpose-aligned, but the data leaves the local environment.
always include the user's original question in the query parameter
Avoid including secrets or confidential data in documentation-search queries, and review Context7's data handling policies if this is used for sensitive work.
Returned documentation may shape the agent's response and could contain outdated, incorrect, or instruction-like text.
The skill is designed to retrieve external documentation text for use as model context. That context can influence agent answers and should not be treated as authoritative instructions.
Use `type=txt` when you want to pipe the documentation directly into an LLM prompt as plain text.
Treat retrieved documentation as reference material, prefer high-trust sources, and verify important guidance against original source URLs.
Installing the skill will pull npm packages needed to run the CLI.
The setup requires installing npm dependencies. This is normal for the TypeScript CLI, but it adds the usual third-party package supply-chain surface.
Install dependencies: ```bash npm install ```
Install from a trusted environment, keep the package-lock.json in use, and review dependency changes before upgrading.