ClawHub

Zotero

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Zotero management skill, but it can read and change a Zotero library when given an API key.

Install only if you intend to let this skill access your Zotero library. Use a least-privilege Zotero API key, confirm whether it points at your personal or group library, use --limit/--collection and dry-run options for bulk workflows, and be careful with --yes, --permanent, --force, --upload, --download-dir, and --output because those can change Zotero data or write local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Tainted flow: 'req' from os.environ.get (line 1369, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"Accept": "application/pdf,*/*",
    })
    try:
        with urllib.request.urlopen(req, timeout=60) as resp:
            with open(dest_path, "wb") as f:
                shutil.copyfileobj(resp, f)
        # Verify it's actually a PDF (check magic bytes)
Confidence
83% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly requires access to environment variables, local files, and external network services, and it can also write files when exporting bibliographies or downloading PDFs. When these capabilities are not explicitly declared as permissions, users and the platform may not understand the true execution scope, weakening trust boundaries and increasing the risk of unintended data access or exfiltration.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation language is broad enough to match many generic research or paper-related requests, which can cause the skill to activate in contexts where the user did not explicitly ask to use Zotero. Because this skill has network, file, and credential-backed API behavior, overly broad triggering expands the chances of unnecessary access to reference libraries or external services.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The export command writes directly to a user-specified file path using write mode, which will create or overwrite files without confirmation. In an agent context, that can lead to unintended data loss or writing sensitive bibliographic exports to unexpected locations if the path is influenced by a prompt or automation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal