ClawHub

Zotero Cli

Security checks across malware telemetry and agentic risk

Overview

This Zotero helper skill is aligned with its stated purpose, but some optional scripts can install packages, edit shell PATH settings, and back up Zotero credentials, so users should run them deliberately.

Prefer pipx installation, avoid the optional curl-to-bash and forced system-package examples unless you have reviewed them, and inspect helper scripts before running setup, update, restore, cleanup, or cron examples. Keep Zotero config and backup folders private because they can contain API credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The declared purpose focuses on interacting with a Zotero library, but the documented helper scripts expand into installation, backup/restore, update checks, browser opening, and file deletion behaviors. This mismatch is dangerous because users or agent frameworks may grant trust appropriate for a read/write bibliography tool, while the skill also performs broader filesystem and network actions that increase the attack surface and can lead to unintended changes on the host.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script goes beyond checking Zotero CLI status and performs software installation and environment modification, including package installs and PATH changes. In an agent skill context, this expands the trust boundary substantially and can lead to unintended system changes when a user expects only Zotero-related library management behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script invokes 'sudo apt update && sudo apt install pipx -y', which performs privileged system package management unrelated to core Zotero library operations. In a skill environment this is dangerous because triggering the install path can cause root-level changes to the host, broadening impact well beyond the application's scope.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide recommends running backup cleanup and update scripts without any explanation of what files may be deleted or what changes an update may make. Even if the scripts are legitimate, encouraging users to execute opaque maintenance commands can lead to unintended data loss or system state changes, especially in documentation aimed at quick setup.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The README advertises backup/restore and citation export workflows but does not warn that these actions write data to local files, which can surprise users and automated agents. In agent-driven environments, undocumented file writes can cause accidental data exposure, overwrites, or persistence of sensitive bibliographic metadata in unexpected locations.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The summary advertises setup, backup/restore, and update scripts with potentially impactful behavior, but it does not prominently warn that these actions may modify installed software, configuration, or user data. In agent-assisted contexts, insufficient warning increases the chance that a user or downstream agent invokes a high-impact script without understanding side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The restore flow copies the selected backup directly over the active configuration file without asking the user to confirm the overwrite. Because this script manages application configuration and is explicitly intended for backup/restore operations, an accidental or mistaken restore can immediately replace working settings, potentially breaking access or reverting sensitive API-related configuration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs real system modifications, including installing packages with sudo and appending to ~/.bashrc, but it does not clearly and explicitly warn the user about all side effects before taking those actions. In an agent skill context, hidden or under-emphasized state-changing behavior is risky because users may expect a diagnostic/setup check, not package installation and persistent shell profile changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script automatically attempts privileged installation using sudo without a dedicated warning explaining that system-wide package changes will occur. Users may invoke an install flow expecting a local Python package operation but instead trigger root-level apt activity, which is risky in automation and shared environments.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
print_warning "pipx is not installed. Installing pipx..."
                
                if command -v apt &> /dev/null; then
                    sudo apt update && sudo apt install pipx -y
                    pipx ensurepath
                    export PATH="$HOME/.local/bin:$PATH"
                elif command -v pacman &> /dev/null; then
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
print_warning "pipx is not installed. Installing pipx..."
                
                if command -v apt &> /dev/null; then
                    sudo apt update && sudo apt install pipx -y
                    pipx ensurepath
                    export PATH="$HOME/.local/bin:$PATH"
                elif command -v pacman &> /dev/null; then
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
pipx ensurepath
                    export PATH="$HOME/.local/bin:$PATH"
                elif command -v pacman &> /dev/null; then
                    sudo pacman -S pipx
                    pipx ensurepath
                    export PATH="$HOME/.local/bin:$PATH"
                elif command -v dnf &> /dev/null; then
Confidence
92% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
pipx ensurepath
                    export PATH="$HOME/.local/bin:$PATH"
                elif command -v dnf &> /dev/null; then
                    sudo dnf install pipx
                    pipx ensurepath
                    export PATH="$HOME/.local/bin:$PATH"
                else
Confidence
92% confidence
Finding
sudo

External Script Fetching

High
Category
Supply Chain
Content
3. **Use pyenv (advanced):**
```bash
# Install pyenv
curl https://pyenv.run | bash

# Install Python 3.11
pyenv install 3.11
Confidence
97% confidence
Finding
curl https://pyenv.run | bash

Chaining Abuse

High
Category
Tool Misuse
Content
3. **Use pyenv (advanced):**
```bash
# Install pyenv
curl https://pyenv.run | bash

# Install Python 3.11
pyenv install 3.11
Confidence
98% confidence
Finding
| bash

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
if [[ ":$PATH:" != *":$HOME/.local/bin:"* ]]; then
                echo ""
                echo "Adding ~/.local/bin to PATH..."
                echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
                export PATH="$HOME/.local/bin:$PATH"
            fi
            ;;
Confidence
91% confidence
Finding
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal