ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Morrow Context7

v1.0.0

Look up current, accurate documentation and code examples for any library or framework using context7-mcp. Use when an agent needs to know how to use a libra...

0· 41·0 current·0 all-time
by@timesandplaces
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md consistently describe a documentation lookup tool. Required binary (npx) is appropriate for invoking an npm-hosted MCP client.
Instruction Scope
Runtime instructions are narrowly scoped to resolving library IDs and querying docs via the context7-mcp tool; they do not ask for unrelated files, environment variables, or broad system data. Recommendations (cache IDs, limit calls) are reasonable.
!
Install Mechanism
The skill relies on running `npx -y @upstash/context7-mcp` at runtime. npx will download and execute code from the npm registry (supply-chain risk). The package namespace (@upstash) and the skill homepage (context7.com) are not obviously the same publisher—this mismatch warrants provenance checks. No local install spec is provided, so code will be fetched dynamically each run.
Credentials
No credentials or sensitive environment variables are requested. The skill suggests storing an MCP command via an operator slash command (agent config) which is proportional to providing a tool endpoint.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It suggests configuring an MCP command in the agent, which is expected behavior and limited in scope.
What to consider before installing
This skill appears to do what it says (fetch live docs) and needs only npx, but it will execute an npm package at runtime. Running `npx -y @upstash/context7-mcp` downloads and runs code from the registry each time — verify the package and publisher before use. Steps to reduce risk: - Check the npm package page and repository for @upstash/context7-mcp and confirm ownership and recent activity. - Verify that context7.com and the npm package are owned/endorsed by the same party (or by a trusted partner like Upstash). - If possible, inspect the package source code (or pin to a specific vetted version) rather than running with `-y` which auto-accepts the latest. - Run the tool in an isolated environment (sandbox/container) when first testing. - Be cautious about sending sensitive project code or secrets to the tool; it queries remote servers and will transmit your query. If you can't verify the package provenance or are uncomfortable with on-demand npm execution, treat this skill as untrusted until the upstream code and ownership are confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk972f73gfkw668mf8rjsy6vx2d83qrxt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
Binsnpx

Comments