Context7
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest documentation and code examples from an external API (
context7.com) and provide them to the agent to guide technical decisions and code generation. This creates a high-severity vulnerability surface. - Ingestion points: Data enters the agent context through
Tools/src/cli/lookup.tsandTools/src/cli/query.tswhich fetch external documentation snippets. - Boundary markers: Absent. The CLI tools output raw documentation content without delimiters or warnings to the agent to ignore embedded instructions.
- Capability inventory: The agent is explicitly instructed to use this documentation to 'verify API signatures' and 'synthesize responses' in coding sessions, effectively granting the external data influence over executed code.
- Sanitization: Absent. There is no filtering or validation of the retrieved documentation to prevent malicious instructions (e.g., hidden in code comments) from influencing the agent.
- Remote Code Execution / Unverifiable Logic (MEDIUM): The core implementation file
Tools/src/lib/context7.tsis missing from the skill package. This file contains theContext7Clientclass which performs the actual network requests. Without this code, the destination of theCONTEXT7_API_KEYand the exact nature of the external communication cannot be verified. - Command Execution (LOW): The skill relies on CLI tools executed via
bunornpx tsx. While these are part of the intended workflow, they allow the agent to execute shell commands. The workflows explicitly instruct the agent to run these commands with user-provided library names and queries, which could be exploited if the agent does not properly sanitize inputs before shell execution.
Recommendations
- AI detected serious security threats
Audit Metadata