Morrow Context7
Analysis
This is a coherent documentation-lookup skill, with the main cautions being that it runs an external npm MCP server and sends lookup queries to Context7.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
The server runs via `npx -y @upstash/context7-mcp` with no auth required.
The executable component is an external npm package invoked without a pinned version. This is central to the skill's purpose and disclosed, but users are relying on the npm package source and future package contents.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
context7-mcp is a Model Context Protocol (MCP) server that queries [context7.com](https://context7.com) for indexed documentation.
The skill uses an MCP server to send documentation lookup requests to an external service. This is expected for live documentation lookup, but query text may include details from the user's task.