Zotero Enhanced

Security checks across malware telemetry and agentic risk

Overview

This Zotero skill is purpose-aligned and disclosed overall, but users should handle Zotero/WebDAV credentials and legacy upload scripts carefully.

Install only if you are comfortable granting a Zotero API key with the needed library permissions. Prefer scripts/add_to_zotero_universal.sh for uploads, verify any WEBDAV_URL is storage you trust, avoid putting real credentials in shared shell history/logs, and use dry-run, confirmation, and backup options for note changes or deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (17)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill clearly documents and relies on shell script execution, external HTTP calls, file access, and deletion operations, but the manifest does not declare permissions/capabilities accordingly. This creates a transparency and policy-enforcement gap: users or platforms may underestimate the skill's authority and allow execution without informed consent.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The script’s comments and defaults state WebDAV is optional and cloud storage is supported, but the implementation always performs WebDAV uploads using WEBDAV_URL/WEBDAV_USER/WEBDAV_PASS. This mismatch is dangerous because users may supply sensitive PDFs expecting a cloud-only workflow, yet the script will still attempt external WebDAV transmission, causing unintended data disclosure or operational failure.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The inline documentation claims WebDAV is optional, but the code unconditionally constructs a WebDAV target URL and uploads both .prop and .zip files. In a file-management skill handling local PDFs, this deceptive behavior increases the risk of unauthorized or unexpected transfer of document contents to external infrastructure.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script advertises WebDAV as optional and claims cloud-storage fallback, but later unconditionally uploads attachment artifacts to a WebDAV endpoint. This mismatch can cause operators to provide or accept an arbitrary WEBDAV_URL under false assumptions, resulting in unintended document exfiltration to a third-party server and failed operation when WebDAV is not configured.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The inline documentation says WebDAV is optional, but the code always executes authenticated uploads to WEBDAV_URL. In a security-sensitive automation context, deceptive or inaccurate storage semantics are dangerous because users may believe files remain within Zotero-managed infrastructure when they are actually sent to an external endpoint.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The safety comment asserts that only legitimate academic APIs and Zotero are contacted, but the script also performs authenticated uploads to an arbitrary WebDAV URL from the environment. Because comments that downplay network scope can mislead reviewers and users, this increases the risk of silent data transmission to untrusted infrastructure.

Intent-Code Divergence

Medium

Confidence: 77% confidence
Finding: The script claims it only calls the Zotero API, but in backup mode it also creates directories and writes note contents to disk. Misleading security claims reduce user ability to assess data handling correctly and can cause sensitive note contents to be persisted locally without an accurate disclosure of that behavior.

Intent-Code Divergence

Low

Confidence: 75% confidence
Finding: The help text reassures users that the script only uses the Zotero API, yet --backup causes local persistence of note data. This mismatch is dangerous because deceptive or inaccurate operational claims can lead users to expose potentially sensitive research notes on disk when they believed the tool performed only remote API operations.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The script explicitly claims it only performs Zotero API and optional WebDAV network access, but in direct-download mode it trusts `.links.enclosure.href` from attachment metadata and fetches that URL without validating the hostname or scheme. If attachment metadata is malicious or compromised, the script can be induced to contact an arbitrary endpoint, causing unexpected outbound requests and possible credentialed or environment-sensitive data exposure through network side effects.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The help text states there are no hidden network calls and only Zotero/WebDAV access, but the implementation later performs a download from a URL returned in metadata without checking whether it still points to Zotero infrastructure. Misleading security claims are dangerous because operators may supply secrets or run the tool in restricted environments under false assumptions about its outbound connectivity.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation advertises automatic metadata fetching from Crossref/arXiv but does not clearly warn that extracted identifiers, titles, or possibly text-derived metadata from user PDFs may be transmitted to third-party services. In a document-management skill, this matters because even partial bibliographic data can reveal sensitive research interests, unpublished work, or confidential document contents.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script sends PDF-derived metadata, including the extracted title, to the Zotero API without explicit user consent or a runtime warning about network transmission. In the context of a document-management skill, this is significant because local document content may be sensitive, and users may not realize that parsed data leaves the local environment.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The script writes a ZIP of the input PDF and a metadata .prop file into /tmp using predictable filenames based on the attachment key, which may expose sensitive document contents to other local users or leave recoverable remnants if cleanup fails. In shared or multi-user environments, temporary handling of confidential documents in a world-accessible location increases data leakage risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: On failure to find a PDF attachment, the script echoes the full Zotero API children response. That response can include item metadata, filenames, notes, and other library details that may be sensitive, causing unintended disclosure into terminal history, agent logs, or centralized observability systems.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: bash scripts/delete_note.sh "NOTE_KEY" # Delete without confirmation (use with caution): bash scripts/delete_note.sh --no-confirm "NOTE_KEY" # Backup before deleting: bash scripts/delete_note.sh --backup "NOTE_KEY"
Confidence: 72% confidence
Finding: --no-confirm

Tool Parameter Abuse

High

Category: Tool Misuse
Content: bash scripts/delete_note.sh "NOTE_KEY" # Delete without confirmation (use with caution): bash scripts/delete_note.sh --no-confirm "NOTE_KEY" # Backup before deleting: bash scripts/delete_note.sh --backup "NOTE_KEY"
Confidence: 87% confidence
Finding: --no-confirm

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ``` #### Safety Features - **Confirmation prompt**: Requires manual confirmation unless `--no-confirm` is used - **Backup option**: Saves note content to `~/.zotero-backup/` before deletion - **Version checking**: Prevents deletion if note was modified by another process - **Dry-run mode**: Preview deletion without actually deleting
Confidence: 84% confidence
Finding: --no-confirm

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal