Security audit

openclaw-zotero-scholar

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it saves user-supplied paper information into Zotero using a Zotero API key, with expected network access and account writes.

Install only if you are comfortable giving the skill a Zotero API key that can add items and attachments. Use a minimally scoped Zotero key, keep ZOTERO_CREDENTIALS out of logs and shared terminals, and run it only with trusted paper URLs and reviewed summary text.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill appears to use environment credentials and network access, but those capabilities are not explicitly declared as permissions. This creates a transparency and review gap: users and platforms may not realize the skill can access secrets and send data externally, increasing the chance of unintended credential exposure or unsafe execution in sensitive environments.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose understates the actual behavior by omitting deduplication queries to Zotero, AI-summary note creation, PDF downloads from external URLs, and file uploads. This mismatch is dangerous because users may authorize a seemingly simple metadata-save action without realizing the skill performs additional network retrieval and content transfer, which broadens the attack surface and can expose sensitive or unexpected data flows.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation instructs users to provide Zotero credentials via an environment variable but gives no warning about secret handling, logging, shell history, or accidental disclosure. Because the credential includes an API key that can modify a user's Zotero library, poor handling could lead to unauthorized access or persistent misuse if the secret is exposed.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.