pyzotero
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface. It is designed to ingest and process untrusted data from the Zotero API (such as item metadata, notes, and full-text PDF content) which could be manipulated by an attacker to include malicious instructions.
- Ingestion points: Data enters the agent's context through methods defined in
references/read-api.md(item metadata),references/full-text.md(attachment text content), andreferences/files-attachments.md(attachment filenames and metadata). - Boundary markers: The provided documentation and code snippets do not implement boundary markers or instructions to the agent to treat data retrieved from the Zotero API as untrusted or to ignore embedded instructions.
- Capability inventory: The skill has high-privilege capabilities including
Bash,Write, andEdittools as defined inSKILL.md. It also performs local file system operations such aszot.dump()(found inreferences/files-attachments.md). - Sanitization: There is no evidence of sanitization, filtering, or validation of the retrieved Zotero content before it is processed by the agent.
Audit Metadata