zotero-cli
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill relies extensively on the
zotCLI for all operations, including reading from local SQLite databases and writing to the Zotero Web API. - It executes various subcommands such as
zot search,zot pdf,zot workspace query, andzot addto interact with local and remote data. - [EXTERNAL_DOWNLOADS]: The skill facilitates network operations to several academic and AI service providers:
- Zotero API: For item creation and metadata updates.
- Semantic Scholar API (
S2_API_KEY): Used byzot update-statusto check preprint publication status. - Jina AI (
api.jina.ai): Referenced as a default embedding endpoint for semantic search within workspaces. - [DATA_EXFILTRATION]: The skill processes potentially sensitive academic data (PDF contents and library metadata). While it can export this data (e.g., via
zot workspace export) or send it to an embedding endpoint for RAG purposes, these actions are transparently documented as core features of the tool. - [PROMPT_INJECTION]: The skill includes an 'indirect prompt injection' surface (Category 8) because it reads and processes external content (PDFs and paper metadata) that could contain adversarial instructions:
- Ingestion points: External data enters the context via
zot read,zot pdf, andzot workspace query. - Boundary markers: The instructions do not specify explicit boundary markers or 'ignore' instructions for the ingested content.
- Capability inventory: The agent has the ability to execute CLI commands and make network requests via the
zottool. - Sanitization: There is no mention of sanitizing or escaping the retrieved metadata or PDF text before it is processed by the agent.
Audit Metadata