Back to skill

Security audit

Zotero Ingest

Security checks across malware telemetry and agentic risk

Overview

This Zotero skill can add papers as advertised, but it also gives agents under-scoped authority to reorganize or delete a Zotero library.

Review before installing. Use it only with a Zotero account and API key you intend agents to write to, prefer a narrowly scoped key, and avoid or remove the create, move, and delete helpers unless you explicitly want library administration with confirmations and item previews.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is presented as a narrow ingest utility, but the documented operations also include mutation and deletion of Zotero data. This mismatch expands the effective privilege and attack surface: an agent or user selecting the skill for simple paper import could unknowingly invoke destructive or organizationally significant actions beyond the declared scope.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a narrow ingest utility, but the documented operations also include mutation and deletion of Zotero data. This mismatch expands the effective privilege and attack surface: an agent or user selecting the skill for simple paper import could unknowingly invoke destructive or organizationally significant actions beyond the declared scope.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill says collection creation should not occur unless explicitly requested, yet it exposes a ready-to-use collection creation function in the same operational guide. In agentic contexts, including contradictory instructions and privileged helper code increases the chance of unauthorized library modification or policy bypass.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation gives a direct secret retrieval command for a live API key without warning about sensitivity, scope, or handling restrictions. In an agent environment, this can normalize secret access and increase the risk of accidental disclosure, misuse in unrelated contexts, or unsafe logging of credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents a fully functional delete operation against the user's Zotero library without any safety warning, confirmation requirement, or limitation to test data. In an autonomous or semi-autonomous workflow, that creates a real risk of irreversible data loss from accidental invocation or prompt-manipulated misuse.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.