zotero-rag
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install the
mcp-zoteropackage (withragandocrextras) using theuvtool. This package originates from a source that is not included in the pre-defined list of trusted organizations or well-known services. - [COMMAND_EXECUTION]: The agent is directed to execute shell commands to verify existing installations (
uv tool list | grep mcp-zotero) and to install or upgrade software components. - [CREDENTIALS_UNSAFE]: The setup workflow involves requesting the user's Zotero Library ID and local API key (
ZOTERO_LOCAL_KEY). These sensitive credentials are subsequently written to a local.mcp.jsonfile. While intended for local operation, the handling of secrets through an automated agent setup process requires user caution. - [PROMPT_INJECTION]: The skill facilitates Retrieval-Augmented Generation (RAG) by indexing PDF documents. This creates a surface for indirect prompt injection, where malicious instructions embedded in documents could influence the agent's behavior during search tasks.
- Ingestion points: PDF files retrieved from the user's Zotero storage directory (typically
~/Zotero/storage). - Boundary markers: The instructions do not define specific delimiters or instructions to ignore embedded content when processing text chunks from search results.
- Capability inventory: The system includes tools for indexing libraries, performing semantic searches, expanding text context, and finding similar document chunks.
- Sanitization: There is no evidence of sanitization, filtering, or validation of the text extracted from PDFs before it is presented to the agent's context.
Audit Metadata