pyzotero

Pass

Audited by Gen Agent Trust Hub on May 29, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the pyzotero package and its CLI components from standard, well-known registries like PyPI.
  • [CREDENTIALS_UNSAFE]: The documentation includes placeholder credentials (e.g., 'ABC1234XYZ') for instructional purposes and correctly advises users to manage sensitive API keys via environment variables or .env files.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes data from external bibliographic libraries, including item titles, notes, and full-text PDF content, which constitutes a surface for indirect prompt injection.
  • Ingestion points: Data enters the context via zot.items(), zot.everything(), and zot.fulltext_item() as described in references/read-api.md and references/full-text.md.
  • Boundary markers: The instructions do not define specific delimiters or instructions to ignore embedded commands in the retrieved bibliographic data.
  • Capability inventory: The skill has access to powerful tools including Bash, Write, and Edit as specified in SKILL.md.
  • Sanitization: There is no mention of sanitization, escaping, or validation of the content retrieved from the Zotero API before it is processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 29, 2026, 12:31 PM
Security Audit — agent-trust-hub — pyzotero