zotero-mcp-guide

The skill's stated purpose and capabilities are mostly aligned: it is a documentation-style guide for exposing Zotero data to an AI assistant through a local MCP server. The main concern is install-trust inconsistency: the guide's Node/npm clone-and-build path does not match the upstream project's current official Python/PyPI installation, which weakens provenance and may cause users to run stale or unintended code. Data flow is transparent and proportionate—local Zotero data can be forwarded to the chosen AI provider—but users should treat that as a privacy risk rather than malware. Overall this is better classified as suspicious/medium-risk documentation due to supply-chain inconsistency, not confirmed malicious behavior.