zotero-paper-reader
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): The script
scripts/get_zotero_pdf.pyreads sensitive API keys (ZOTERO_API_KEY) and library IDs fromNotes/.env. Accessing credential stores is a high-severity finding, but it is downgraded here because it is essential for the skill's primary function of Zotero integration.\n- [COMMAND_EXECUTION] (MEDIUM): The skill utilizessubprocess.runto executecurlfor data retrieval and file downloads. Executing shell commands with variable inputs poses a risk, particularly when combined with external data sources.\n- [EXTERNAL_DOWNLOADS] (LOW): The skill downloads PDF content fromapi.zotero.org. While Zotero is a known service, downloading and executing logic on external files constitutes a security boundary cross.\n- [PROMPT_INJECTION] (LOW): The skill possesses an indirect prompt injection surface as it ingests untrusted PDF data from Zotero and converts it to markdown for agent processing.\n - Ingestion points: PDF files fetched from
api.zotero.orgor read from~/Zotero/storage/viascripts/get_zotero_pdf.py.\n - Boundary markers: Absent; converted markdown is read by the agent using
Read()without explicit delimiters or instructions to ignore embedded commands.\n - Capability inventory: File system access (read/write), network requests via
curl, and system command execution viasubprocess.\n - Sanitization: Absent; the script uses the
original_filenamestring from the Zotero API directly in the local file path/tmp/{original_filename}without sanitization, which could allow path traversal if the API returns a malicious filename.
Audit Metadata