Is context7 safe?

https://clawhub.ai/TheSethRose/context7

72
CAUTION

Context7 is a documentation search CLI that wraps the Context7.com API. The primary concerns are: (1) it reads .env files and transmits API keys to an external service, (2) the install process accessed sensitive files outside the skill directory including .aws/credentials, and (3) it has a large dependency tree with native install scripts that increase supply chain risk. No malicious intent was detected, but the credential handling patterns and install-time file access warrant caution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 50/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (9)

HIGH Reads .env file and sends API key to external service -25

query.ts reads the .env file from its directory to extract CONTEXT7_API_KEY, then sends it as a Bearer token to context7.com. While this is the intended functionality, it establishes a pattern of reading local secrets and transmitting them externally.

HIGH Install process accessed sensitive files outside skill directory -30

During installation, the monitoring detected file access to /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. These are sensitive credential stores outside the skill's directory. While this may be caused by the ClawdBot runtime rather than the skill itself, it represents credential exposure during the install lifecycle.

MEDIUM External HTTP requests to context7.com with user credentials -15

The skill makes outbound HTTP requests to https://context7.com/api/v2/libs/search and https://context7.com/api/v2/context, transmitting the user's API key. If the context7.com domain were compromised or the DNS hijacked, credentials would be sent to an attacker.

MEDIUM Large transitive dependency tree with native install scripts -20

The skill depends on mcp-client which pulls in @modelcontextprotocol/sdk, express, and dozens of transitive dependencies. esbuild includes hasInstallScript:true for native binary installation. This large attack surface increases supply chain risk.

MEDIUM Scripts reference missing files (read.ts, explore.ts) -10

package.json defines scripts for 'read' and 'explore' that reference read.ts and explore.ts, but these files are not present in the skill. This could indicate incomplete packaging or that additional executable code was intended but not included.

LOW Temp file creation in /tmp during install -5

The install process created files in /tmp/jiti/ and /tmp/openclaw-1000/. While /tmp usage is normal for build caches, 20+ files were created suggesting JIT compilation of the ClawdBot runtime.

LOW Skill instructs user to run npm install -5

The SKILL.md instructs users to run 'npm install' which triggers dependency resolution and potential install scripts. This is standard for Node.js projects but represents a code execution vector.

INFO API key loaded from environment variable fallback -5

query.ts first checks process.env.CONTEXT7_API_KEY before falling back to .env file reading. This is good practice but means the key could come from the agent's environment if set globally.

INFO SKILL.md content is empty in rendered form -5

The SKILL.md content block passed to the analysis appears empty, but the full file shows standard documentation. No hidden instructions or unicode tricks detected.