zotero-scholar

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: save paper information, notes, and related PDFs into a Zotero library using user-provided Zotero credentials.

Install only if you are comfortable giving the skill a Zotero API key that can write to your library. Use a scoped Zotero key if possible, keep ZOTERO_CREDENTIALS out of logs and shared shells, and review generated summaries or PDF attachments before relying on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill requires access to environment variables and network connectivity but does not explicitly declare corresponding permissions, which reduces transparency and weakens least-privilege controls. In practice this can cause users or hosts to underestimate that the skill will read sensitive credentials and send data to external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose says the skill saves papers to Zotero, but the detected behavior includes deduplication queries, writing AI-generated notes, downloading PDFs from external sources, and uploading attachments to Zotero. This broader behavior materially changes the data flow and attack surface, creating risk of unexpected external downloads/uploads and unreviewed content being stored in the user's library.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation instructs users to provide Zotero API credentials via an environment variable but gives no warning about the sensitivity of the API key or safe handling practices. This increases the chance of accidental exposure through logs, shell history, screenshots, shared environments, or overly broad key reuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal