Pluginv1.0.0

Static analysis security

Zotero Plugin · Deterministic local checks for risky code patterns and metadata mismatches.

SuspiciousApr 27, 2026, 4:46 PM

Summary: Detected: suspicious.env_credential_access, suspicious.potential_exfiltration
Reason codes: suspicious.env_credential_accesssuspicious.potential_exfiltration
Engine: v2.4.0

criticalsrc/client.ts:20

Environment variable access combined with network send.

if (process.env.ZOTERO_SERVER_URL) {

warnsrc/client.ts:2

File read combined with network send (possible exfiltration).

import { readFileSync, existsSync } from "node:fs";