The Agent Skills Directory

[PROMPT_INJECTION]: The skill uses authoritative directives in its 'First-Run Check' section (e.g., 'Before doing anything else', 'proceed to step 2') to guide agent behavior during the initial setup phase.
[COMMAND_EXECUTION]: The skill instructs the agent to execute local system commands for environment discovery and tool installation, specifically uv tool list | grep mcp-zotero and uv tool install mcp-zotero.
[EXTERNAL_DOWNLOADS]: The setup process facilitates the download and installation of the mcp-zotero package from external Python package registries using the uv tool manager.
[DATA_EXFILTRATION]: The skill provides tools like attach_file and attach_linked_file that accept arbitrary local file paths. This functionality presents a risk where the agent could be manipulated via prompt injection to read and upload sensitive local files (such as SSH keys or configuration files) to the user's Zotero cloud storage.
[PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8).
Ingestion points: Untrusted bibliographic data including item titles, abstract notes, and attached notes are ingested into the agent context via tools like search_items, get_item, and collection_items (as documented in SKILL.md and guides/search-retrieve.md).
Boundary markers: No specific delimiters or 'ignore' instructions are provided to the agent to distinguish between bibliographic data and system instructions.
Capability inventory: The skill possesses powerful capabilities that could be abused if an injection is successful, including deleting items (delete_item), deleting collections (delete_collection), and managing file attachments (attach_file, download_attachments).
Sanitization: The provided documentation does not indicate any sanitization or validation of the data retrieved from the Zotero API before it is processed by the agent.

mcp-zotero