code-audit

SUSPICIOUS. The core purpose is legitimate, and the named external service (Context7) appears to be an official, open-source same-org dependency. However, the skill’s reliance on unspecified installed skills, external context loading, and optional auto-fix makes its real execution footprint broader than the description fully explains. Main concerns are transitive trust and indirect prompt-injection risk, not confirmed malware.