The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The skill's primary functionality depends on the user installing the 'zotero-mcp' package directly from a non-whitelisted GitHub repository ('https://github.com/54yyyu/zotero-mcp.git'). This bypasses standard package registry safety checks.
REMOTE_CODE_EXECUTION (HIGH): The skill explicitly instructs the user to run 'uv tool install' pointing to the external git repository, which results in the execution of unverified remote code on the local system.
DATA_EXFILTRATION (HIGH): The file 'scripts/extract_papers.py' accesses the sensitive local Zotero database path ('~/Zotero/zotero.sqlite') and creates a temporary copy of it. While the script currently writes extracted data to a local JSON file, the combination of local database access and a dependency on unverified external code creates a high risk of sensitive data theft.
CREDENTIALS_UNSAFE (MEDIUM): The skill requires and handles multiple API keys (ZOTERO_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY). Documentation encourages storing these in environment variables, which makes them accessible to the unverified external tool and the agent.
COMMAND_EXECUTION (MEDIUM): The skill uses shell commands in 'SKILL.md' (e.g., 'zotero-mcp version') to verify the environment. If the required third-party tool is malicious, these checks execute it directly.
PROMPT_INJECTION (LOW): The skill processes untrusted data from academic papers (abstracts, annotations) without clear boundary markers or sanitization. Evidence: 1. Ingestion points: 'zotero-mcp' tool outputs and 'scripts/extract_papers.py' output. 2. Boundary markers: Absent in 'assets/prompts/' templates. 3. Capability inventory: File-write (zotero_extract.json), network API requests, and subprocess execution. 4. Sanitization: None detected.

zotero-synth