Back to skill

Security audit

social media scholar (zotero)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Zotero import helper that uses Zotero credentials to save papers, notes, and arXiv PDFs, with no evidence of hidden or unrelated behavior.

Install only if you want an agent to read user-provided paper or social-media links and write results into your Zotero library. Use a Zotero API key with the minimum permissions needed, keep it in the documented Keychain entry or environment variable, and review generated metadata, notes, and PDF attachments before saving when the source link is ambiguous or private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior clearly relies on environment variables, shell execution, network access, and optional use of the macOS Keychain. This mismatch weakens transparency and consent boundaries, making it easier for a user or host system to underestimate what the skill can access and do.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says the skill extracts paper metadata from social posts and saves it to Zotero, but the instructions also authorize broader actions: reading credentials, downloading PDFs, generating and storing notes, and using browser/web scraping workflows. Description-behavior mismatch is dangerous because users may consent to a narrow task while the skill performs materially broader data access and network activity.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads Zotero credentials from the macOS Keychain via the `security` CLI, which is a sensitive local-secret access capability. Although related to saving items to Zotero, this behavior is broader and more sensitive than the user-facing description suggests, and it could enable silent use of stored credentials without explicit user awareness at runtime.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation language is broad enough that ordinary messages containing links, citations, screenshots, or paper mentions could trigger the skill without strong scoping. Over-broad triggers can cause unintended processing of user content and unnecessary access to external links or credentials when the user did not clearly request Zotero operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The usage instructions say that inputs containing links and a user need should be analyzed and routed among multiple workflows, but they do not clearly constrain when external fetching, browsing, or Zotero writes are allowed. This ambiguity increases the chance of accidental activation and overreach from a simple shared link.

Credential Access

High
Category
Privilege Escalation
Content
此 Skill 依赖本机安装的 Python(建议 Python 3.10 或更高版本)。

API Key 安全存储在 **macOS Keychain** 中,避免明文存储风险;

在非macOS环境中,采用环境变量 `ZOTERO_CREDENTIALS` 存储,格式为:
Confidence
90% confidence
Finding
Keychain

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.