skills/neolabhq/context-engineering-kit/setup-context7-mcp/Snyk

setup-context7-mcp

Warn

Audited by Snyk on Apr 24, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill's required workflow (Step 2) explicitly directs the agent to load a public GitHub raw URL (https://raw.githubusercontent.com/upstash/context7/refs/heads/master/README.md) and to search Context7 MCP for documentation, meaning it fetches and interprets untrusted third-party content that can influence setup actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs at runtime to load https://raw.githubusercontent.com/upstash/context7/refs/heads/master/README.md and use that fetched content to guide the setup (i.e., the external file directly controls agent instructions and is treated as a required dependency).

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Apr 24, 2026, 05:13 AM

Issues

2