sci-zotero
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Potential for indirect prompt injection via untrusted external data. The skill fetches research paper metadata (titles, abstracts, etc.) from external sources using identifiers like DOI/ISBN/PMID. Maliciously crafted data from these sources could influence the agent's behavior.
- Ingestion points: Data fetched from the Zotero API and external publishers via
zotero.py(referenced in SKILL.md). - Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the skill text.
- Capability inventory: Execution of shell commands via a Python script, network requests to the Zotero API, and file system operations for PDF management.
- Sanitization: No evidence of validation or sanitization for fetched metadata.
- [COMMAND_EXECUTION]: Execution of an external script at a relative path (
../../scripts/zotero.py). The security of the skill depends on the integrity of this shared script located outside the skill's own directory. - [PROMPT_INJECTION]: Metadata inconsistency between files. The author is identified as 'Shuo Zhao' in the SKILL.md file but listed as 'Antigravity' in the _meta.json file, which can be misleading regarding the skill's origin.
Audit Metadata