The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill provides instructions for downloading and installing AI coding skills from arbitrary third-party GitHub repositories using the ctx7 skills install /owner/repo command. This creates a significant attack vector where unvetted markdown instructions or scripts can be introduced into the agent's core operating directory (e.g., ~/.claude/skills).
[COMMAND_EXECUTION]: The skill requires the execution of multiple system-level commands, including global installation of the CLI (npm install -g ctx7) and interactive setup commands (ctx7 setup) that modify IDE and agent configuration files like .mcp.json or .cursor/mcp.json.
[DATA_EXFILTRATION]: The commands ctx7 library and ctx7 docs transmit user-supplied queries to external Context7 servers. While the documentation contains explicit warnings to avoid including sensitive data like API keys or PII, this functionality represents a potential surface for data exposure via the query parameters.
[PROMPT_INJECTION]: The skill functions as an ingestion point for external content (documentation and third-party skills). The ctx7 docs command fetches snippets from a remote registry which are then processed by the agent; if this external content contains malicious instructions disguised as documentation, it could influence agent behavior (Indirect Prompt Injection). There are no clear boundary markers or sanitization steps documented to mitigate this risk beyond general warnings.

context7-cli