The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The scripts load-api-key.sh, fetch-raw.sh, and start-server.sh all execute npx -y @upstash/context7-mcp. This command automatically downloads and runs code from a public registry at runtime, which is a major remote code execution vector if the package is compromised or typosquatted.\n- [CREDENTIALS_UNSAFE] (HIGH): In load-api-key.sh and fetch-raw.sh, the skill passes the Context7 API key via the --api-key command-line flag. This exposes the secret key to all users and monitoring tools on the system through the process list (e.g., ps command).\n- [REMOTE_CODE_EXECUTION] (HIGH): The skill references and executes scripts/mcp-client.py in fetch-raw.sh, but this file is not included in the provided skill files, making it an unverifiable executable dependency.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill frequently connects to external services (npm and context7.com) to download tools and documentation data, increasing the attack surface.\n- [COMMAND_EXECUTION] (LOW): The skill uses a complex chain of local bash scripts (extract-*.sh) utilizing awk and grep for string parsing. While focused on data extraction, this provides a large surface area for command execution.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection because it ingests documentation from a third-party source without sanitization or explicit boundary markers to isolate instructions embedded in the external content.\n
Ingestion points: External documentation is fetched via fetch-raw.sh and the query-docs tool.\n
Boundary markers: None; the extraction scripts wrap output in Markdown headers but do not provide instructions to the agent to ignore embedded commands.\n
Capability inventory: The skill has broad capabilities to execute shell commands and read/write local files (e.g., ~/.context7.env).\n
Sanitization: Content is filtered for structural blocks but not sanitized for malicious natural language instructions.

fetch-library-docs