ClawHub

zotero-browse

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Zotero helper that reads the user’s Zotero database and PDFs as advertised, with no evidence of hidden network access or destructive behavior.

Install only if you are comfortable letting the agent read your local Zotero database and stored PDFs. Review and change the hard-coded Windows paths before use, and use --output carefully because it saves extracted document text as plaintext at the path you provide.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill performs local file reads from the Zotero database and PDF storage and also documents writing extracted PDF text to an output file, yet it declares no required permissions or safeguards. This creates a mismatch between declared and actual capabilities, reducing transparency and making it easier for an agent to access or persist local data without an explicit trust boundary.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script uses sqlite3.connect(args.db, timeout=30) and then executes PRAGMA read_only=ON, but that pragma does not make the connection truly immutable for all operations. A caller who points --db at an arbitrary SQLite file will get a normal read-write connection if filesystem permissions allow it, which contradicts the tool's stated read-only behavior and expands the potential for unintended modification of local data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation text includes broad triggers such as any query about accessing or reading Zotero papers or PDFs, which can over-match ordinary requests about PDFs and cause unintended activation. In a local-data skill, accidental invocation is risky because it may expose private library contents or cause the agent to operate on local files when the user meant something more general.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The skill documents extracting full PDF text to a local file but does not warn that this writes potentially sensitive paper contents onto disk. While the write is user-directed via --output, the absence of disclosure and constraints can lead to inadvertent persistence of copyrighted or private material in arbitrary locations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file hard-codes precise local filesystem paths, including a likely user-specific home directory (`C:\Users\41406\Zotero\zotero.sqlite`) and a secondary library location. This unnecessarily discloses host-specific environment details that can aid fingerprinting, targeted social engineering, and follow-on attacks, especially in an agent skill that is explicitly designed to access local files and a local SQLite database.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal