The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The skill uses npx -y @upstash/context7-mcp in scripts/load-api-key.sh, scripts/start-server.sh, and via the mcp-client.py wrapper. This command downloads and executes code from the npm registry at runtime without version pinning or integrity verification.
COMMAND_EXECUTION (HIGH): The core execution logic in references/context7-tools.md and scripts/fetch-raw.sh relies on python scripts/mcp-client.py call -s "npx ...". This pattern of passing executable shell strings to a Python wrapper indicates a high risk of command injection if parameters like libraryId or topic are not strictly sanitized.
PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
Ingestion Point: scripts/fetch-raw.sh fetches arbitrary documentation content from an external provider (Context7).
Boundary Markers: Absent. The skill does not wrap fetched content in delimiters or include 'ignore embedded instructions' warnings for the agent.
Capability Inventory: The agent using this skill is intended for coding tasks, implying it likely has file-write and command execution capabilities.
Sanitization: The skill uses awk and grep (e.g., scripts/extract-code-blocks.sh) for structural filtering, but it performs no semantic sanitization to prevent malicious natural language instructions within the docs from hijacking the agent.
EXTERNAL_DOWNLOADS (MEDIUM): The skill depends on @upstash/context7-mcp and the Context7 API. Neither Upstash nor Context7 are within the predefined [TRUST-SCOPE-RULE] list of trusted organizations, making these unverifiable external dependencies.
CREDENTIALS_UNSAFE (LOW): While the skill correctly encourages environment variables, scripts/setup-api-key.sh facilitates saving API keys to .context7.env in the current directory and ~/.context7.env. This creates a risk of accidental credential exposure if these files are committed to version control (though the script does warn about .gitignore).

fetch-library-docs