Context7 MCP - Intelligent documentation search and context for any library
Security Analysis
medium confidenceThe skill's code and instructions require a CONTEXT7_API_KEY and npm dependencies but the registry metadata doesn't declare any required credentials or an install spec, and there are other small inconsistencies that make the package look sloppy or misconfigured.
The skill's name/description (documentation search/context) matches the implemented behavior: query.ts calls https://context7.com APIs. Requested binary 'node' is appropriate. However, the registry metadata claims no required env vars or primary credential, while the code and README require a CONTEXT7_API_KEY — this mismatch is unexpected.
SKILL.md and query.ts confine actions to calling Context7 REST APIs (GET requests) and printing results. That's within scope. Concerns: SKILL.md tells users to copy a .env.example to .env, but no .env.example file is included in the package; query.ts also attempts to read a local .env file in addition to process.env. The instructions are otherwise explicit and do not reference unrelated system files or external endpoints beyond context7.com.
There is no automated install spec in the registry (instruction-only), which is lower risk, but package.json + package-lock.json are included and SKILL.md tells users to run npm install. That is reasonable, but the package declares dependencies (mcp-client, zod) even though query.ts does not import them. The lockfile is large with many dev/optional esbuild binaries — not malicious but unnecessary and worth auditing.
The runtime requires CONTEXT7_API_KEY (read from process.env or a local .env) to function, but the skill's declared requirements list zero env vars and no primary credential. Requiring an API key for the 3rd-party service itself is proportionate to the stated purpose, but the omission from metadata is an incoherence that could mislead users. No other secrets are requested.
The skill does not request always:true, does not modify other skills or system config, and does not claim persistent/background privileges. It simply expects to be run with node when invoked.
Guidance
This skill appears to be what it says (a Context7 documentation query tool) but has configuration/metadata inconsistencies you should resolve before installing or running it. Specifically: - The code requires CONTEXT7_API_KEY (via environment or a local .env), but the registry metadata does not declare this — expect to provide your API key. - SKILL.md tells you to copy .env.example, but no .env.example is bundled; ensure you get the API key from the official Context7 dashboard (https://context7.com) rather than an untrusted source. - package.json lists dependencies (mcp-client, zod) not used by query.ts and a large package-lock.json is included; consider running a dependency audit (npm audit) and inspect third-party packages for unexpected network behavior before running npm install. - The CLI only contacts context7.com in the code. If you plan to grant this skill an API key, be comfortable that the key will be sent to that domain. If you don't have a Context7 account or don't trust the publisher, do not provide credentials. If you want to proceed, ask the publisher to update the registry metadata to declare CONTEXT7_API_KEY as a required credential, remove or explain unused dependencies, and include the missing .env.example or clearer setup instructions. If you are unsure, treat this package as untrusted and avoid running npm install / executing the script until those issues are addressed.
Latest Release
v1.0.3
Added best practices section for search, context, versioning, and quality filtering
More by @TheSethRose
Published by @TheSethRose on ClawHub
