Skills
skills/jst-well-dan/skill-box/context7-cli/Gen Agent Trust Hub

context7-cli

Warn

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the user to install a global NPM package (npm install -g ctx7@latest) or run it directly via npx. This involves downloading and executing remote code from the NPM registry.
  • [EXTERNAL_DOWNLOADS]: The ctx7 skills install /owner/repo command downloads and installs AI coding skills (Markdown files) from specified GitHub repositories into the agent's configuration directories (e.g., ~/.claude/skills).
  • [COMMAND_EXECUTION]: The skill relies extensively on executing shell commands to interact with the ctx7 tool. These commands incorporate user-provided inputs such as library names, queries, and repository paths.
  • [DATA_EXFILTRATION]: The ctx7 skills suggest command scans local project configuration files (package.json, requirements.txt, pyproject.toml, etc.) to identify dependencies and recommend matching skills from a remote registry.
  • [DATA_EXFILTRATION]: Documentation queries formulated by the agent are sent to external APIs managed by Context7. While the skill advises against including sensitive data in queries, this remains a potential surface for data exposure.
  • [CREDENTIALS_UNSAFE]: The documentation suggests the command ctx7 setup --api-key YOUR_KEY, which involves passing a secret API key as a command-line argument. This is an insecure practice as it can expose the sensitive key in the system's shell history or process list.
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8).
  • Ingestion points: Data enters the agent context via documentation results from ctx7 docs and skill files downloaded via ctx7 skills install.
  • Boundary markers: The instructions do not define specific delimiters or "ignore previous instruction" warnings for the external content retrieved.
  • Capability inventory: The agent has the capability to execute shell commands and write files to its own instruction directories.
  • Sanitization: There is no evidence of automated sanitization or filtering of the content retrieved from documentation or GitHub repositories.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 29, 2026, 04:16 PM