pyzotero
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by ingesting and processing untrusted data (titles, abstracts, and full-text content) from external Zotero libraries.
- Ingestion points:
references/read-api.md(retrieving items and collections),references/full-text.md(retrieving PDF full-text content). - Boundary markers: Absent; there are no instructions to the agent to treat fetched bibliographic data as untrusted or to use delimiters.
- Capability inventory: The skill is configured with access to
Bash,Write,Read, andEdittools as defined in the frontmatter ofSKILL.md. - Sanitization: No explicit validation or sanitization of retrieved metadata or attachment content is implemented within the instructions or provided code snippets.
- [SAFE]: Credential management is handled securely by encouraging the use of environment variables or
.envfiles rather than hardcoding sensitive API keys. - [SAFE]: The skill uses well-known, legitimate dependencies such as the
pyzoterolibrary and official Zotero API endpoints.
Audit Metadata