Back to skill

Security audit

Zotero PDF Local Import

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Zotero PDF import helper with some local side effects users should understand before running.

Install only if you are comfortable enabling Zotero local communication, letting the agent import PDFs into your Zotero library, and either allowing the requests dependency install or installing it yourself in a virtual environment first. Use exact absolute paths, avoid recursive imports unless intended, and be aware that the check command may print Zotero item titles and local file paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("dep_requests=missing")
        if args.auto_install_deps:
            print("dep_requests=installing")
            r = subprocess.run([sys.executable, "-m", "pip", "install", "requests>=2.31.0"], capture_output=True, text=True)
            if r.returncode != 0:
                print("dep_requests=install_failed")
                print((r.stderr or r.stdout or "").strip()[:500])
Confidence
91% confidence
Finding
r = subprocess.run([sys.executable, "-m", "pip", "install", "requests>=2.31.0"], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exercises sensitive capabilities including shell execution, file reads, environment access, and network access, yet the skill manifest does not explicitly declare or constrain those permissions. This weakens transparency and reviewability, making it easier for an agent or operator to invoke broader functionality than expected, especially because the documented flow includes dependency installation and local service interaction.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exceeds the stated purpose by allowing automatic pip installation, diagnostic probing, and opening Zotero deep-link URLs via platform launchers. Those extra actions can change the local environment and trigger external handlers, which is materially more powerful than a simple PDF import workflow and increases the risk of unintended code execution paths or user-impacting side effects.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The diagnostic routine exceeds the stated Zotero import purpose by optionally installing Python packages, creating side effects on the host environment. Even though the package name is fixed, this still introduces supply-chain and environment-modification risk that is unnecessary for a connector/import skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.