context7

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: actions/checkout@v6

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: actions/github-script@v7

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: actions/checkout@v6

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: aws-actions/configure-aws-credentials@v5

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: aws-actions/amazon-ecr-login@v2

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: docker/setup-qemu-action@v3

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: docker/setup-buildx-action@v3

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: docker/build-push-action@v6

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: actions/checkout@v6

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: actions/checkout@v6

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: changesets/action@v1

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

- uses: actions/checkout@v6

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: actions/setup-node@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: pnpm/action-setup@v4

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

uses: actions/cache@v5

Direct usage of child_process module methods with variable arguments may allow command injection.

import { spawn } from "child_process";

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log('Changeset found!');

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("");

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.bold("Opening browser to log in..."));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("");

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("If the browser didn't open, visit this URL:"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("Open this URL in your browser:"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.cyan(authUrl));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("");

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("You are already logged in."));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("Run 'ctx7 logout' first if you want to log in with a different account."));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("");

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("You can now use authenticated Context7 features."));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green("Logged out successfully."));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("You are not logged in."));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("Not logged in."));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("Run 'ctx7 login' to authenticate."));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green("Logged in"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.dim("Name:".padEnd(13))}${whoami.name}`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.dim("Email:".padEnd(13))}${whoami.email}`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.dim("Teamspace:".padEnd(13))}${whoami.teamspace.name}`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("(Session may be expired - run 'ctx7 login' to refresh)"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(JSON.stringify(results, null, 2));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(result);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(JSON.stringify(ctx, null, 2));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`  Visit ${pc.green("https://context7.com/dashboard")} to upgrade.`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.bold("What should your agent become an expert at?\n"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("Examples:"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.red('  ✕ "Deploy a Next.js app to Vercel"'));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green('  ✓ "Best practices and constraints for deploying Next.js apps to Vercel"'));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.red('  ✕ "Use Tailwind for responsive design"'));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green('  ✓ "Responsive layout decision-making with Tailwind CSS"'));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.red('  ✕ "Build OAuth with NextAuth"'));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green('  ✓ "OAuth authentication patterns and pitfalls with NextAuth.js"'));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("You can adjust which sources the skill is based on.\n"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`${pc.green("✓")} ${pc.dim(`[${questionNum}/${totalQuestions}]`)} ${q.question}`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`  ${pc.cyan(truncatedAnswer)}`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("━".repeat(70)));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.bold(`Generated Skill: `) + pc.green(pc.bold(skillName)));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("━".repeat(70)));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(previewContent);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`... ${remainingLines} more lines`));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim("━".repeat(70)));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.yellow("Fix permissions with:"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`  sudo chown -R $(whoami) "${parentDir}"`));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.green("Skill saved successfully"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(pc.dim(`  ${targetDir}/`) + pc.green(skillName));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("");

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(brand.primary(banner));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(brand.dim("  The open agent skills ecosystem"));

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("");

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("  Quick start:");

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`    ${brand.primary("npx ctx7 skills search pdf")}`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`    ${brand.primary("npx ctx7 skills install /anthropics/skills")}`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("");

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`  Run ${brand.primary("npx ctx7 --help")} for all commands and options`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log(`  Visit ${brand.primary("https://context7.com")} to browse skills`);

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

console.log("");

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

info: (message: string) => console.log(pc.cyan(message)),

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

success: (message: string) => console.log(pc.green(`✔ ${message}`)),

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

warn: (message: string) => console.log(pc.yellow(`⚠ ${message}`)),

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

error: (message: string) => console.log(pc.red(`✖ ${message}`)),

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

dim: (message: string) => console.log(pc.dim(message)),

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

item: (message: string) => console.log(pc.green(`  ${message}`)),

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

itemAdd: (message: string) => console.log(`  ${pc.green("+")} ${message}`),

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

plain: (message: string) => console.log(message),

Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.

blank: () => console.log(""),

Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.

console.warn(`API key should start with '${API_KEY_PREFIX}'`);

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

return tokens.access_token;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

const existingToken = await getValidAccessToken();

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

const accessToken = await getValidAccessToken();

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

const accessToken = await getValidAccessToken();

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

if (!accessToken) {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

const whoami = await fetchWhoami(accessToken);

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

async function fetchWhoami(accessToken: string): Promise<WhoamiResponse> {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

Authorization: `Bearer ${accessToken}`,

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

Authorization: `Bearer ${accessToken}`,

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

function getAccessToken(): string | undefined {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

return tokens.access_token;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

const accessToken = getAccessToken();

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

const accessToken = getAccessToken();

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

data = await resolveLibrary(library, query, accessToken);

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

const accessToken = getAccessToken();

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

const accessToken = getAccessToken();

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

result = await getLibraryContext(libraryId, query, { type: outputType }, accessToken);

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

accessToken?: string

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

if (accessToken) {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

accessToken?: string

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

if (accessToken) {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

export async function getSkillQuota(accessToken: string): Promise<SkillQuotaResponse> {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers: { Authorization: `Bearer ${accessToken}` },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers: { Authorization: `Bearer ${accessToken}` },

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

accessToken?: string

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

if (accessToken) {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

accessToken?: string

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

if (accessToken) {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

function getAuthHeaders(accessToken?: string): Record<string, string> {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${apiKey}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

} else if (accessToken) {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${accessToken}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

accessToken?: string

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers: getAuthHeaders(accessToken),

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

accessToken?: string

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers: getAuthHeaders(accessToken),

API endpoints without rate limiting are vulnerable to brute force and denial of service.

app.get("/ping", (_req: express.Request, res: express.Response) => {

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

headers["Authorization"] = `Bearer ${context.apiKey}`;

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

Authorization: `Bearer ${apiKey}`,

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

Authorization: `Bearer ${apiKey}`,

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

"url": "https://mcp.context7.com/mcp/oauth"

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

const data = JSON.parse(fs.readFileSync(CREDENTIALS_FILE, "utf-8"));

File system operations using variables without prior path validation or sanitization may allow traversal attacks.

fs.unlinkSync(CREDENTIALS_FILE);

Paths containing '../' sequences targeting sensitive system files (etc/passwd, .ssh, .env) can escape intended directories.

dotenv.config({ path: path.resolve(__dirname, "../../.env") });

Paths containing '../' sequences targeting sensitive system files (etc/passwd, .ssh, .env) can escape intended directories.

config({ path: path.resolve(__dirname, "../../.env") });

Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.

const url = new URL(req.url || "/", `http://localhost`);

Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.

const url = new URL(`${baseUrl}/api/oauth/authorize`);

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const response = await fetch(treeUrl, { headers });

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const response = await fetch(rawUrl, { headers });

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const fileResponse = await fetch(rawUrl, { headers: ghHeaders });

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const response = await fetch(url, { headers });

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

const response = await fetch(url, { headers });

Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.

const url = new URL(`${CONTEXT7_API_BASE_URL}/v2/libs/search`);

Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.

const url = new URL(`${CONTEXT7_API_BASE_URL}/v2/context`);

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

res = await fetch(url, requestOptions as RequestInit);

Using sudo in scripts escalates privileges and may allow unintended system-wide modifications.

log.dim(`  sudo chown -R $(whoami) "${parentDir}"`);

Using sudo in scripts escalates privileges and may allow unintended system-wide modifications.

log.error(`Permission denied. Try: sudo rm -rf "${skillPath}"`);

Using sudo in scripts escalates privileges and may allow unintended system-wide modifications.

log.dim(`  sudo chown -R $(whoami) "${parentDir}"`);

HTML comments in tool descriptions may contain hidden instructions intended to influence LLM reasoning.

sectionMarker: "<!-- context7 -->",

Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.

const envToken = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;

Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.

const envToken = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;

Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.

stdioApiKey = cliOptions.apiKey || process.env.CONTEXT7_API_KEY;

Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.

export const AUTH_SERVER_URL = process.env.AUTH_SERVER_URL || CONTEXT7_BASE_URL;

Encoding environment variables or credential file contents to Base64 is a common exfiltration obfuscation technique.

const cipher = createCipheriv(ALGORITHM, Buffer.from(ENCRYPTION_KEY, "hex"), iv);

String literals matching known API key prefixes (sk-, ghp_, AKIA, xoxb-, etc.) or long base64-like strings may expose secrets in source code.

const DEFAULT_ENCRYPTION_KEY = "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f";

Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.

const apiKey = config.apiKey || process.env.CONTEXT7_API_KEY;

Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.

const apiKey = process.env.CONTEXT7_API_KEY || process.env.API_KEY;

Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.

const apiKey = process.env.CONTEXT7_API_KEY || process.env.API_KEY;

String literals matching known API key prefixes (sk-, ghp_, AKIA, xoxb-, etc.) or long base64-like strings may expose secrets in source code.

"fileSha256": "aea76f179ceb92d22c289147c9d8343fb558d6dec93b144c9794e99239bb8194",

An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.

server.listen(CALLBACK_PORT, "127.0.0.1", () => {

An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.

const httpServer = app.listen(port);