docs-seeker

The docs-seeker manifest describes plausible, useful tooling for automated documentation discovery, but it has multiple supply-chain and data-flow concerns that warrant caution before use. Primary issues: explicit routing of fetches through a third-party domain (context7.com) rather than canonical vendor docs; layered .env loading that risks exposing sensitive repository/CI secrets to per-skill scripts; and automated agent-spawning guidance without safeguards. Because the actual script implementations are not provided, definitive assessment is limited. Recommend: review the fetch-docs.js source to confirm endpoints, header/body composition, TLS enforcement, and any telemetry; audit .env loading code to ensure it only reads intended files; implement domain whitelisting and redact/sanitize any env-derived data before transmission; and add strict limits/quota checks for agent spawning. Until those checks are validated, treat the package as potentially risky for use in environments with sensitive secrets.