The Agent Skills Directory

================================================================================

🔴 VERDICT: HIGH

This skill instructs the user to run npm install, which downloads and executes code from external, unverified sources. This poses a significant risk as malicious packages could execute arbitrary commands on the user's system. While the skill's primary function is to interact with the Context7 API, requiring an API key to be sent to context7.com, this is part of its intended design and not considered malicious data exfiltration to an unintended recipient.

Total Findings: 3

🔴 HIGH Findings: • Unverifiable Dependencies & Command Execution

SKILL.md Line 17: The instruction npm install downloads and executes code from external sources, which can include arbitrary post-install scripts. This introduces a high risk of command execution from unverified third-party packages.

🔵 LOW Findings: • API Key Usage

docs.js Line 36, search.js Line 32: The skill reads the CONTEXT7_API_KEY environment variable and sends it in the Authorization header to https://context7.com. This is the intended functionality of the skill, as the user is directed to obtain the key from context7.com for use with their service. This is noted for transparency but is not considered malicious data exfiltration.

ℹ️ TRUSTED SOURCE References: • No trusted external sources were identified in this skill.

================================================================================