Is jaylane/context7-docs safe?

https://github.com/openclaw/skills/tree/main/skills/jaylane/context7-docs

88
SAFE

This skill is a legitimate documentation-fetching wrapper for the Context7 API, providing agents with up-to-date library documentation via two clean shell scripts. The skill contains no prompt injection attempts, no sensitive file targeting, no malicious code, and installation was clean with no unexpected network activity. The primary risk is inherent to the skill's design: user query text is transmitted to the third-party context7.com service, and content returned from that service is processed by the agent — both expected behaviors that are documented transparently in SKILL.md.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW User queries transmitted to third-party API -20

Every use of this skill sends the user's query text to https://context7.com/api. While this is the skill's documented and stated purpose, users should be aware that query content (which may include library names, internal project terminology, or incidentally sensitive phrasing) is processed by a third-party service. The skill explicitly warns against including credentials in queries.

LOW Broad curl:* tool permission -12

The allowed-tools directive specifies Bash(curl:*) which permits curl to any URL. The skill's instructions constrain usage to context7.com, but the wildcard permission itself could be exploited by injected content from other sources to direct the agent to curl arbitrary endpoints.

LOW Documentation response content is agent-processed (upstream injection risk) -18

Content returned from context7.com is presented to the agent as documentation to be interpreted and relayed to the user. If context7.com were compromised or adversarially operated, malicious content in API responses could attempt prompt injection against the consuming agent. This is a supply-chain risk inherent to any skill that consumes external content.

INFO Shell scripts included but are clean -8

Two bash scripts (resolve-library.sh, query-docs.sh) are included. Both follow secure coding patterns: set -euo pipefail, jq-based JSON construction preventing injection, no eval or dynamic execution, no download-and-execute patterns. No install hooks of any kind.

INFO Canary file reads attributed to audit framework, not skill 0

Multiple reads of canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) appear in auditd PATH records. Analysis of timestamps shows these reads occur before skill installation and in same-millisecond batches consistent with the oathe audit framework's own verification scans. All canary files confirmed intact.