ClawHub

Zotero Manager

Security checks across malware telemetry and agentic risk

Overview

This Zotero skill is mostly purpose-aligned, but users should review it because it handles library credentials, can modify a Zotero library, and under-discloses those risks.

Review before installing. Use a least-privilege Zotero token, avoid write permissions unless you intend to import items, do not pass non-local URLs to --api-url, and store tokens in a protected secret store or tightly permissioned file rather than a shared or synced plaintext path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README states the skill is read-only and does not modify Zotero data, but earlier examples explicitly document DOI and batch import operations that would add items to the library. This is a security-relevant trust issue because users and higher-level agents may rely on the safety claims when deciding whether to grant access or execute the skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs the user to store a Zotero local API key in a plaintext file without clearly labeling it as a sensitive secret or advising on file permissions and secure handling. This increases the risk of credential disclosure through backups, local malware, shared directories, or accidental commits, which could allow unauthorized access to the user's Zotero data via the local API.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions tell the user to enable HTTP access to Zotero local data but do not explain the privacy and exposure risks of making a local data service available over HTTP. Even if intended for localhost use, local services can be abused by malicious local processes, browser-based attacks against loopback services, or misconfiguration that broadens access to personal bibliography data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs the user to write a Zotero local API authentication token directly into a plaintext file on disk, with no guidance on restricting file permissions, using a safer secret store, or avoiding accidental disclosure. Even though this is a local API token, it is still a credential; malware, other local users, backups, sync tools, or logs could expose it and allow unauthorized access to the user's Zotero data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to generate a personal access token and save it in a local file, but does not warn that the token is a sensitive credential or advise on file permissions, secure storage, or avoiding accidental disclosure. If that file is exposed through backups, logs, source control, screenshots, or other local compromise, an attacker could use the token to access the user's Zotero data within the token's scope.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs the user to generate a personal access token and write it directly to a local file without any guidance on least privilege, file permissions, secret storage, rotation, or avoiding accidental disclosure. This can expose long-lived credentials to other local users, malware, backups, logs, or version control, enabling unauthorized access to the user's Zotero library API.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to write an API key directly to a local file under ~/.config/zotero/api_key without discussing file permissions, secret handling, or exposure risks. Secrets stored this way can be read by other local users, accidentally committed to backups/repos, or harvested by malware, leading to unauthorized access to the Zotero remote API.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Remote-mode requests transmit the user's Zotero API key, but the CLI does not clearly warn users that their configured credential will be sent to api.zotero.org, and some requests place the key in URL parameters. In agent or automation contexts, this lack of disclosure can cause unintended credential use and increase the chance of leakage through logs, histories, or monitoring systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal