Security risk report for @forgecat/upstash_context7 v0.0.9
Source Integrity
Low
Profile references legitimate upstream source (Upstash Context7 GitHub repository) with commit hash and MIT license.
No typosquatted, obfuscated, or attacker-controlled package/repository names detected.
Agent Intent
Low
Content describes a documentation lookup tool; no instructions to ignore system prompts, read credentials, or exfiltrate data.
No guidance poisoning: does not plant malicious knowledge, weaken security defaults, or instruct installing backdoored dependencies.
Legitimate use case (fetching library docs from Context7 MCP) with clear, transparent process steps.
Details
Evidence
Agent process: 'Identify the library → Resolve library ID → Fetch documentation → Return focused answer'
Skill activation criteria are legitimate: 'Asks setup questions, code generation, API references'
No instructions to hide, deny, or leak system prompts or tool definitions.
Permissions
PRM-000Medium
The profile connects to an external HTTP MCP server (`https://mcp.context7.com/mcp`), which constitutes outbound network access on every documentation query — slightly broader than a purely local tool.
No shell, file_write, file_mutate, or file_delete tool categories are declared; authority is otherwise well-scoped to read-only documentation retrieval.
The skill auto-triggers broadly on any mention of libraries or frameworks (`alwaysApply`-style activation described in SKILL.md), meaning it fires frequently and sends user queries to an external host without explicit per-request user approval.
Details
Evidence
"url": "https://mcp.context7.com/mcp"
"Activate this skill when the user: Asks setup or configuration questions... Requests code involving libraries... Mentions specific frameworks (React, Vue, Svelte, Express, Tailwind, etc.)"
MCP Risk
MCP-000Medium
The MCP server points to an external host (`https://mcp.context7.com/mcp`) operated by Upstash/Context7 — a known service, but still an external third-party endpoint that receives user queries.
No hidden instructions were found in tool descriptions, and no arbitrary binary execution or full filesystem access is involved.
All user queries about libraries are forwarded to this external server, creating a data-flow dependency on a third-party service; if the endpoint were compromised, it could return poisoned documentation or tool responses.