lit-synthesis

This skill is an academic literature-synthesis tool that integrates Zotero MCP and optional PDF-to-Markdown conversion via Docling. I found no evidence of deliberate malicious code, obfuscation, or hidden exfiltration endpoints in the provided text. The main security concerns are supply-chain and privilege risks inherent to the stated functionality: (1) requiring Zotero MCP access (sensitive credentials and full-text access), (2) unpinned pip installation of docling, (3) transitive trust in bundled skills (zotero, zotero-rag, reading-agent) and locally-run scripts whose contents are not provided. These are consistent with legitimate functionality but warrant standard mitigations: use least-privilege/API tokens scoped to specific collections, pin package versions or verify checksums, audit bundled skills and shell scripts before executing, and review git ignores to avoid committing secrets. Overall risk is moderate operational/supply-chain rather than malicious intent.