Fetch up-to-date library documentation via Context7 API. Use PROACTIVELY when: (1) Working with ANY external library (React, Next.js, Supabase, etc.) (2) User asks about library APIs, patterns, or best practices (3) Implementing features that rely on third-party packages (4) Debugging library-specific issues (5) Need current documentation beyond training data cutoff Always prefer this over guessing library APIs or using outdated knowledge.
Security Analysis
high confidenceThe skill largely does what it claims (calls Context7 APIs), but it embeds a default API key in source and fails to declare or document required credentials — a surprising and risky mismatch.
The name/description match the included script: the tool queries context7.com for library docs. However the skill metadata declares no required credentials or env vars while the script expects CONTEXT7_API_KEY (and falls back to a hardcoded key). The missing declaration of the API credential is an incoherence.
SKILL.md instructs running the packaged script to search and fetch context; it does not direct reading unrelated local files or other secrets. But the instructions omit any mention of setting CONTEXT7_API_KEY or the presence of a default key, which may cause silent use of the embedded key when run.
No install spec; this is an instruction-only skill with a local Python script. No external download/install step is present, which minimizes install-time risk.
The code reads an environment variable CONTEXT7_API_KEY but the skill metadata lists no required env vars or primary credential. Worse, the script embeds a default API key in source — embedding credentials in code is inappropriate and increases risk (key leakage, abuse, or unexpected shared usage).
The skill does not request permanent presence (always:false) and doesn't attempt to modify other skills or system-wide settings. It runs as an on-demand CLI client.
Guidance
This skill appears to be what it says (a Context7 API client), but it has two issues you should consider before installing or using it: - Hardcoded API key: The script contains a default API key baked into source. That key could be shared, revoked, or abused. Do not assume it's safe to use — prefer to set your own CONTEXT7_API_KEY in your environment and remove the embedded key from the copy you run. - Undeclared credential requirement: The skill metadata and SKILL.md do not mention the required CONTEXT7_API_KEY. Ask the publisher: who owns the default key and should you be using it? Ideally the skill should require you to provide your own key and document how to obtain it. - Data exposure: The script sends queries and potentially code/queries to an external service (context7.com). Avoid sending sensitive secrets or full source files in queries. Review Context7's privacy policy and ensure you trust the endpoint before sending proprietary code or credentials. Recommended actions: 1) Request the skill author to remove the hardcoded key and update SKILL.md to declare CONTEXT7_API_KEY as required and explain how to get one. 2) If you must use the skill now, set CONTEXT7_API_KEY in your environment to a key you control and sanitize any queries to avoid leaking secrets. 3) If you cannot verify the origin/ownership of the embedded key or the service, do not use the default key and consider not installing the skill until the author provides clarification.
Latest Release
v1.0.0
Initial release - Python-based Context7 API client for fetching up-to-date library documentation with search and context commands
More by @am-will
Published by @am-will on ClawHub
