zotero-sholar

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: save user-specified paper metadata, summaries, and optional PDFs into the user's Zotero library using the user's Zotero API credentials.

Install this if you want an agent to add papers to your Zotero library. Use a Zotero API key with the minimum permissions you need, keep ZOTERO_CREDENTIALS out of chats and logs, and expect the skill to contact Zotero and, for arXiv papers, download and attach PDFs when saving items.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill requires access to an environment secret and performs networked actions, but the documentation does not clearly declare permissions or warn users about those capabilities. This weakens transparency and consent, making it easier for users or orchestrators to invoke a skill that can access credentials and communicate externally without an explicit trust decision.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documented purpose understates the actual behavior: beyond saving metadata, the skill appears to query Zotero for deduplication, download PDFs from external URLs, and upload attachments. Hidden or under-disclosed network fetch and upload behavior increases risk because user-provided URLs may trigger unexpected external requests and content transfer, potentially exposing metadata, importing malicious files, or violating user expectations.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill description says it saves papers and summaries to Zotero, but the code also downloads PDFs from arXiv and uploads them as attachments. This hidden side effect expands the skill's network and data-handling behavior beyond what a user would reasonably expect, which can lead to unauthorized external fetches, increased bandwidth/storage use, and accidental ingestion of content not disclosed in the manifest.

Missing User Warnings

Low

Confidence: 73% confidence
Finding: The documentation shows the credential format with an API key example but does not emphasize that the value is a secret that must be protected. In practice, users may paste real credentials into chats, logs, screenshots, or shell history, leading to accidental credential exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal