zotero-mcp
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions specify using the
bbeditshell command to automatically open generated bibliography files. This allows the agent to execute local applications on the host system.\n- [DATA_EXFILTRATION]: The skill hardcodes an absolute local file path (/Users/niyaro/Desktop/) for saving output. This references a specific local username and involves file system access to the user's Desktop directory.\n- [PROMPT_INJECTION]: The skill processes untrusted metadata, notes, and annotations from a Zotero database, creating an indirect prompt injection surface where malicious data could influence agent behavior.\n - Ingestion points: Bibliographic metadata, notes, and annotations retrieved via the
zotero_get_item_metadata,zotero_get_annotations, andzotero_search_notestools (SKILL.md).\n - Boundary markers: Absent; data from Zotero is directly interpolated into the agent's context and output without delimiters.\n
- Capability inventory: Includes local file writing and shell command execution (
bbedit).\n - Sanitization: No sanitization or validation of the content retrieved from Zotero is described.
Audit Metadata