context7
Retrieve up-to-date documentation for software libraries, frameworks, and components via the Context7 API. This skill should be used when looking up documentation for any programming library or framework, finding code examples for specific APIs or features, verifying correct usage of library functions, or obtaining current information about library APIs that may have changed since training.
88
84%
Does it follow best practices?
Impact
92%
3.40xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Security
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.90). This skill's SKILL.md workflow explicitly instructs the agent to query the public Context7 API endpoints (https://context7.com/api/...) to fetch documentation/snippets for libraries, which the agent is expected to read and act on, exposing it to untrusted third-party content that could contain injected instructions.
W012: Unverifiable external dependency detected (runtime URL that controls agent)
What this means
The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.
Why it was flagged
Potentially malicious external URL detected (high risk: 0.80). The skill performs runtime requests to https://context7.com/api/v2/context (and the related /api/v2/libs/search) and injects the returned documentation into the agent’s context to drive responses, meaning remote content is fetched at runtime and directly controls the agent’s prompts and is a required dependency.
- Repository
- intellectronica/agent-skills
- Commit
9f7f750
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.