Skills
skills/jg-chalk-io/nora-livekit/moai-context7-integration/Snyk

moai-context7-integration

Warn

Audited by Snyk on Mar 2, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill calls the Context7 API (e.g., Context7Client.get_library_docs and search_documentation against https://api.context7.com/v1) and then directly reads/synthesizes those external documentation results to enhance MDX content, update example files, and drive validation/decision logic (NextraContext7Enhancer, CodeExampleManager, Context7Validator), which exposes the agent to third-party content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.70). The skill performs runtime fetches from the Context7 API (base URL https://api.context7.com/v1) and injects the retrieved documentation into synthesized content/agent context (e.g., synthesize_results, enhance_mdx_content), meaning external content fetched at runtime can directly influence prompts and agent outputs.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 2, 2026, 05:14 PM