Back to skill

Security audit

openclaw-zotero-new

Security checks across malware telemetry and agentic risk

Overview

This Zotero skill does what it says, but users should understand it can write to their Zotero library and may upload paper details or PDFs.

Install only if you are comfortable giving the skill a Zotero API key that can add items to your library. Prefer a least-privilege Zotero key, avoid using it with sensitive unpublished papers unless you intend to store them in Zotero, and review whether the package uses a remote shell installer before running setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill uses sensitive environment credentials and performs network operations, but those capabilities are not explicitly declared as permissions. This weakens transparency and informed consent: users may not realize the skill can read secrets and transmit data externally, increasing the chance of unintended credential use or data exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The described behavior understates the actual data-handling scope: beyond saving metadata, the skill checks Zotero remotely, adds notes, downloads PDFs from external URLs, and uploads attachments. This mismatch is dangerous because users may authorize a seemingly narrow action while the skill performs broader network transfers and persistent library modifications they did not clearly consent to.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The advertised purpose is saving papers to Zotero, but the code also downloads PDFs from arXiv and uploads them as attachments. This hidden side effect expands the skill’s network and storage behavior beyond what users are told, which can create consent, policy, and resource-usage risks in agent environments.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script performs outbound network retrieval based on user-controlled input when the URL contains arxiv.org, but this capability is not disclosed in the stated skill purpose. Even though it is narrowed to arXiv-like URLs, undocumented network access increases attack surface and may violate least-privilege expectations for a simple Zotero-save skill.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill tells users to supply Zotero credentials and writes data to their library, but does not prominently warn that paper metadata, summaries, URLs, and possibly downloaded files will be transmitted to Zotero services. Lack of clear disclosure can cause users to send sensitive research material or AI-generated notes to a third party without informed consent.

External Script Fetching

Low
Category
Supply Chain
Content
{
      "id": "uv-linux",
      "kind": "shell",
      "script": "curl -Ls https://astral.sh/uv/install.sh | sh",
      "bins": ["uv"],
      "platform": "linux",
      "label": "Install uv via install script"
Confidence
88% confidence
Finding
curl -Ls https://astral.sh/uv/install.sh | sh

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.