ClawHub

zotero-myscholar

Security checks across malware telemetry and agentic risk

Overview

This Zotero skill mostly matches its purpose, but it needs Review because the runtime script contradicts the documented credential setup and exposes a credential-looking string while performing persistent Zotero writes and PDF uploads.

Review or fix the script before installing. Do not use it until the credential lookup is changed to ZOTERO_CREDENTIALS, any exposed Zotero key is revoked or rotated, and you are comfortable with the skill creating Zotero items, adding AI summary notes, and downloading then uploading arXiv PDFs as attachments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The documented behavior understates what the code actually does: it performs remote duplicate searches, may download PDFs from arXiv, uploads attachments to Zotero, and sends AI-generated summaries/metadata to external services. In an agent skill context, this mismatch is dangerous because users may consent to 'save metadata' while the skill also transfers additional content and performs extra network actions they were not warned about.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation says it can save PDF links, but the code actually downloads the remote PDF and uploads the file into Zotero for arXiv URLs. That difference materially changes the data-flow, bandwidth, storage, copyright/compliance, and privacy implications for the user.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code reads credentials from an environment variable whose name is the literal secret value format '19883603:YtIe0tqZtA12wBvFDTB8EIRR', strongly suggesting an embedded Zotero user ID and API key were accidentally exposed in source. Hardcoding or exposing live credentials can allow unauthorized access to the Zotero library, including reading or modifying stored records.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill instructs users to supply a Zotero API credential but does not warn that this is a sensitive secret with write access to the user's library. In agent environments, lack of secret-handling guidance increases the chance of accidental exposure through logs, screenshots, shell history, or overly broad reuse.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill does not clearly warn users that it will send paper metadata, abstract text, and optional AI summaries to Zotero and may fetch a PDF from arXiv and re-upload it. In a skill context, insufficient disclosure of outbound data flows can lead to unauthorized sharing of unpublished, proprietary, or sensitive research content.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal