mcp-zotero

This SKILL.md describes a Zotero integration that requires users to provide sensitive credentials (ZOTERO_API_KEY, ZOTERO_LOCAL_KEY, ZOTERO_LIBRARY_ID) either via environment or by writing .mcp.json. That configuration, combined with instructions to install/run an MCP server binary (uv tool install mcp-zotero) and the MCP server acting as an intermediary for web and local API calls, creates a supply-chain and credential-forwarding risk. The required permissions (file access to arbitrary local paths, ability to upload attachments, and storing credentials in config files) are consistent with the skill's stated purpose, but they are high-impact if the MCP server or installer is untrusted or compromised. Recommended mitigations: obtain the mcp-zotero binary from a verifiable, signed release or trusted registry; avoid writing secrets into project-level files tracked by VCS; prefer injecting credentials at runtime in ephemeral environment variables; audit the MCP server source code and network endpoints; and limit attachment directories to a specific safe path. Overall, I do not see direct evidence of active malicious code in the skill text itself, but the combination of download-install instructions, credential forwarding to an intermediary, and arbitrary file access yields a meaningful supply-chain risk that warrants caution.