zotero-paper

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Zotero helper that saves paper details to the user's Zotero library using user-provided credentials.

Before installing, use a Zotero API key scoped to the library actions you actually want, understand that paper metadata, summaries, links, and any attached PDFs may be uploaded to Zotero, and avoid passing private paper notes or sensitive summaries unless you intend to store them there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation instructs users to provide Zotero credentials and describes saving content to a remote Zotero library, but it does not clearly warn that data and secrets will be transmitted over the network. Even if this is expected for Zotero integration, the lack of explicit disclosure reduces informed consent and may cause users to submit sensitive metadata, summaries, or API credentials without understanding the transmission scope.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal