document-skills

SUSPICIOUS: The skill’s stated purpose matches its capabilities, and it does not seek credentials or obvious exfiltration. However, it promotes transitive installation of third-party Zotero add-ons from personal/third-party GitHub sources without describing provenance checks, signatures, or exact network endpoints, creating moderate supply-chain risk disproportionate to a simple guide.