context7-auto-research

From the provided README fragment there is no conclusive evidence of intentional malware, but multiple supply-chain and data-exfiltration risks exist: unverified transitive install via npx, missing endpoint/privacy details for the Context7 API, and an auto-trigger feature that can cause network requests using conversational context. Treat the package as medium risk until a repository-level code review confirms that endpoints are legitimate, requests are minimal and redacted as appropriate, TLS is enforced, secrets are not leaked or logged, and there are no post-install or native-binary behaviors. If you cannot perform that review, avoid installing the skill in sensitive environments or run it in a constrained sandbox with network controls.