Zotero MCP

The skill appears to do what it claims (talk to a local Zotero MCP server) but the package's metadata omits required runtime dependencies and it instructs you to globally install an npm package (zotero-mcp) that the bundled script executes — this mismatch and the unvetted npm dependency are concerning.

This skill appears to be a thin client for a local Zotero MCP server and the included code matches that purpose. However: (1) the package metadata fails to declare required runtimes — the SKILL.md and script assume Node/npm and an npm package 'zotero-mcp' that will be executed on your machine; (2) installing npm packages globally (npm install -g) can run arbitrary code from the public registry — review the 'zotero-mcp' package source on npm/GitHub and the publisher before installing; (3) verify that calls are only to 127.0.0.1:23119 (local Zotero) and not to remote hosts; (4) prefer to install the npm package in a sandbox or inspect its code, or run the included Python wrapper with a controlled PATH so you know which 'zotero-mcp-server' binary is being invoked. If you cannot verify the npm package origin, avoid installing it globally or decline installing this skill.