context7-auto-research

The provided SKILL metadata and README describe a plausible documentation-fetching integration that requests an optional API key and is installed via 'npx skills add'. There is no direct evidence in this fragment of active malicious code (no hardcoded secrets, no remote exfiltration endpoints listed, no obfuscated payloads). However, the distribution/install mechanism (npx installation of a third-party skill), absence of explicit network endpoints, potential for transitive dependency installation, and auto-trigger capability raise meaningful supply-chain and credential risks. Without the actual implementation (source code, dependency lockfile, and the exact endpoints used), this skill should be treated as medium risk: acceptable with caution only if consumers review the installed code, pin versions, audit dependencies, and restrict API keys or run it in a constrained environment.